From Raashida Sufi [Raashida.Sufii@dmgmedia.co.uk]I have seen three different versions of the malicious attachment Invoice.doc (VirusTotal results [1] [2] [3]). The Malwr analysis of these documents [4] [5] [6] shows that the payload is identical to the Dridex banking trojan described here.
Date Tue, 19 Jan 2016 11:40:37 +0300
Subject Daily Mail - Payment overdue
Hi,
I have currently taken over from my colleague Jenine so will be your new POC going
forward.
I have attached an invoice that is currently overdue for £360.00. Kindly email me
payment confirmation today so we can bring your account up to date?
Kind Regards
Rash Sufi
Credit Controller, dmg media Finance Services
Telephone: +44(0)203 615 5083 Email: Raashida.Sufi@dmgmedia.co.uk
Shared Values: Customer Focus, Excellence, Innovation, Integrity, Teamwork, Accountability,
Learning
P.O. Box 6795, St. George Street, Leicester, LE1 1ZP
______________________________________________________________________
This e-mail and any attached files are intended for the named addressee only. It
contains information, which may be confidential and legally privileged and also protected
by copyright. Unless you are the named addressee (or authorised to receive for the
addressee) you may not copy or use it, or disclose it to anyone else. If you received
it in error please notify the sender immediately and then delete it from your system.
Associated Newspapers Ltd. Registered Office: Northcliffe House, 2 Derry St, Kensington,
London, W8 5TT. Registered No 84121 England.
Tuesday, 19 January 2016
Malware spam: "Daily Mail - Payment overdue" / Raashida Sufi [Raashida.Sufii@dmgmedia.co.uk]
This fake financial spam does not come from the Daily Mail, but is instead a simple forgery with a malicious attachment:
OMG: Twitter down.. "Something is technically wrong"
Twitter has been down for at least an hour. It feels like losing a limb. OK. Maybe not. A metaphorical limb. Please don't offer to come round to remove one just so I can compare.
Labels:
Twitter
Malware spam: "Thank you for purchasing from Cheaper Travel Insurance - 14068156"
This fake financial spam comes with a malicious attachment:
From info17@Resellers.insureandgo.comThe sender appears to be from info[some-random-number]@Resellers.insureandgo.com, but it is just a simple forgery. Attached is a malicious Word document that I have seen five different versions of (VirusTotal results [1] [2] [3] [4] [5]).
Date Tue, 19 Jan 2016 14:27:06 +0530
Subject Thank you for purchasing from Cheaper Travel Insurance - 14068156
Your policy number: MF/CP/205121/14068156Dear customer, Thank you for buying your travel insurance from Cheaper.
Your policy documents are attached.
Date: 18/01/2016
Amount: £849.29
Quote number: 21272810
Policy number: MF/CP/205121/14068156
Insurance is arranged by Insure & Go Insurance Services Ltd who are authorised and regulated by the Financial Conduct Authority. Insure & Go Insurance Services Ltd Registered Address: 10th Floor Maitland House, Warrior Square, Southend-on-Sea, Essex SS1 2JY. Registered in England and Wales (Company Number: 04056769). Calls may be recorded and monitored.
The Malwr reports on the samples [1] [2] [3] [4] [5] show download locations as:
www.cnbhgy.com/786585d/08g7g6r56r.exe
seaclocks.co.uk/786585d/08g7g6r56r.exe
mosaicambrosia.com/786585d/08g7g6r56r.exe
This has a VirusTotal result of 3/54. The Malwr and VirusTotal reports combined with this Hybrid Analysis show traffic to:
216.59.16.175 (Immedion LLC, US / VirtuaServer Informica Ltda, Brazil)
195.96.228.199 (Bulgarian Academy Of Sciences, Bulgaria)
200.57.183.176 (Triara.com, S.A. de C.V., Mexico)
62.109.133.248 (Ignum s.r.o, Czech Republic)
103.23.154.184 (Ozhosting.com Pty Ltd, Australia)
41.38.18.230 (TE Data, Egypt)
202.137.31.219 (Linknet, Indonesia)
176.53.0.103 (Network Devices, Turkey)
The payload is the Dridex banking trojan, and this activity is consistent with the botnet 220 campaign.
Dropped file MD5:
bbb091c44cb44dd348b8745590b2d9dd
4f272b8af966ccd73880888015d87e40
Attachment MD5s:
a36aa1d188f8b318401fe9c839a9d2c6
cd4d922487cf5da4348456d2695fbc56
9bbf47dac1ad712fa5d6109fc58d450f
79a854e552c992c1d3d5e838467da856
17d80dde11feb558216c8c04b4aa0494
Recommended blocklist:
216.59.16.175
195.96.228.199
200.57.183.176
62.109.133.248
103.23.154.184
41.38.18.230
202.137.31.219
176.53.0.103
UPDATE
The payload has now changed to one with an MD5 of 4f272b8af966ccd73880888015d87e40 and a detection rate of 2/54. The Malwr report indicates that the network behaviour is pretty much the same.
Monday, 18 January 2016
Malware spam FAIL: "Statements" / Alison Smith [ASmith@jtcp.co.uk]
This fake financial email does not come from J Thomson Colour Printers but is instead a simple forgery with a malicious attachment.
From Alison Smith [ASmith@jtcp.co.uk]Attached is a file S-STA-SBP CRE (0036).xls which is actually corrupt, due to a monumental failure by the bad guys. The payload is meant to be the Dridex banking trojan, but since Friday the attachments have been messed up and will either appear to be garbage or zero length. The payload itself should look similar to this one, also spoofing the same company.
Date Mon, 18 Jan 2016 18:27:36 +0530
Subject Statements
Sent 12 JAN 16 15:36
J Thomson Colour Printers
14 Carnoustie Place
Glasgow
G5 8PB
Telephone 0141 4291094
Fax 0141 4295638
Malware spam FAIL: "Water Cooler World Invoice" / tom.thomson@watercoolerworld.com
This fake invoice is not from Water Cooler World but is instead a simple forgery with a malicious attachment. I was not able to capture the body text.
From =?iso-8859-1?B?IlRvbSBUaG9tc29uIFdhdGVyIENvb2xlciBXb3JsZCI=?= [tom.thomson@watercoolerworld.com]Attached is a file INVOICE_F-160003834.doc which will appear to be corrupt because the MIME attachment is malformed (it will either appear to be zero length or it will be garbage). This is the second corrupt spam run today, it was meant to be delivering the Dridex banking trojan. A fuller analysis of the attempted payload can be found here.
Date Mon, 18 Jan 2016 18:35:14 +0700
Subject Water Cooler World Invoice
Malware spam FAIL: "Invoice January" / "A . Baird" [ABaird@jtcp.co.uk]
This fake financial spam does not come from J. Thomson Colour Printers but is instead a simple forgery with a malicious attachment.
If you can get hold of the original message, then it should be possible to locate the faulty Base 64 section which has a leading space in it. Removing the space and decoding the Base 64 would generate the intended malicious message. Obviously, I don't recommend doing that unless who want to decode the malware..
UPDATE
A source (thank you!) tells me that the various versions of the document should download a binary from one of the following locations:
emirelo.com/786585d/08g7g6r56r.exe
esecon.com.br/786585d/08g7g6r56r.exe
outago.com/786585d/08g7g6r56r.exe
This binary has an MD5 of 971b9f7a200cff489ee38011836f5240 and a VirusTotal detection rate of 3/54. The same source identifies the following C2 servers whcih are worth blocking:
192.232.204.53 (WebSiteWelcome, US)
110.77.142.156 (CAT BB Net, Thailand)
216.117.130.191 (Advanced Internet Technologies Inc, US)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
Recommended blocklist:
192.232.204.53
110.77.142.156
216.117.130.191
202.69.40.173
From "A . Baird" [ABaird@jtcp.co.uk]Because the email has an error in it, the attachment cannot be downloaded or will appear to be corrupt. This follows on from a similar bunch of corrupt spam messages on Friday [1] [2] [3]. The payload is meant to be the Dridex banking trojan.
Date Mon, 18 Jan 2016 16:17:20 +0530
Subject Invoice January
Hi,
We have been paid for much later invoices but still have the attached invoice as
outstanding.
Can you please confirm it is on your system and not under query.
Regards
Alastair Baird
Financial Controller
[cid:image001.png@01CEE6A0.2D48E1B0]
Registered in Scotland 29216
14 Carnoustie Place
Glasgow G5 8PB
Direct Dial: 0141 418 5303
Tel: 0141 429 1094
www.jtcp.co.uk
P Save Paper - Do you really need to print this e-mail?
If you can get hold of the original message, then it should be possible to locate the faulty Base 64 section which has a leading space in it. Removing the space and decoding the Base 64 would generate the intended malicious message. Obviously, I don't recommend doing that unless who want to decode the malware..
UPDATE
A source (thank you!) tells me that the various versions of the document should download a binary from one of the following locations:
emirelo.com/786585d/08g7g6r56r.exe
esecon.com.br/786585d/08g7g6r56r.exe
outago.com/786585d/08g7g6r56r.exe
This binary has an MD5 of 971b9f7a200cff489ee38011836f5240 and a VirusTotal detection rate of 3/54. The same source identifies the following C2 servers whcih are worth blocking:
192.232.204.53 (WebSiteWelcome, US)
110.77.142.156 (CAT BB Net, Thailand)
216.117.130.191 (Advanced Internet Technologies Inc, US)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
Recommended blocklist:
192.232.204.53
110.77.142.156
216.117.130.191
202.69.40.173
Friday, 15 January 2016
Malware spam FAIL: "Statement" / Kelly Pollard [kelly.pollard@carecorner.co.uk]
This fake financial spam is meant to have a malicious attachment, but it is corrupt:
From Kelly Pollard [kelly.pollard@carecorner.co.uk]The attachment is named Statement 012016.doc but due to an error in the email it is corrupt, and is either zero length or will produce garbage. If it were to work, it would produce a payload similar to that found here and here, namely the Dridex banking trojan. This is the third corrupt Dridex run today. Shame.
Date Fri, 15 Jan 2016 13:56:01 +0200
Subject Statement
Your report is attached in DOC format.
Kelly Pollard
Marketing Manager
Tel: 01204 89 54 10 Fax: 01204 89 54 11
[final care corner logo]
Malware spam FAIL: "Reservation Confirmation Number79501" / reservations@draytonmanorhotel.co.uk
This fake hotel reservation is meant to have a malicious attachment, but it is corrupt and you cannot download it.
A source tells me that when repaired, the documents attempt to download a malicious binary from:
hotyo.1pworks.com/786585d/08g7g6r56r.exe
members.chello.nl/~h.pot2/786585d/08g7g6r56r.exe
w04z5e8ry.homepage.t-online.de/786585d/08g7g6r56r.exe
The payload is the same one as found here with a detection rate of 6/55. I would recommend blocking the IPs I mentioned in that post too.
From [reservations@draytonmanorhotel.co.uk]The attachments (in the format uk_conf_email_2012_dmh562810.xls) appear to be corrupt because of an error in the MIME attachment in the email, so they will either be zero length or appear to be garbage. I haven't seen any non-corrupt versions of the attachment at all. This is the second corrupt Dridex spam run today (this is the other one).
Date Fri, 15 Jan 2016 16:21:55 +0530
Subject Reservation Confirmation Number79501
We are pleased to confirm the attached booking at Drayton Manor Hotel.
Should you have any queries, please do not hesitate to contact us. We look
forward to welcoming you to Drayton Manor Hotel.
Kind Regards
Harry Ashbolt
Reservations
A source tells me that when repaired, the documents attempt to download a malicious binary from:
hotyo.1pworks.com/786585d/08g7g6r56r.exe
members.chello.nl/~h.pot2/786585d/08g7g6r56r.exe
w04z5e8ry.homepage.t-online.de/786585d/08g7g6r56r.exe
The payload is the same one as found here with a detection rate of 6/55. I would recommend blocking the IPs I mentioned in that post too.
Malware spam: "Scanned image from MX-2640N" / cm_sharpscan@yahoo.co.uk
This fake document spam is meant to have a malicious attachment, but all the versions I have seen are corrupt.
The next problem for the bad guys is that they have added a leading space to the Base 64 encoded section with the attachment in. This means that unless the mail client somehow fixes the error, the attachments are harmless (VirusTotal results [1] [2] [3] [4]).
Now, not many people are going to wade in and fix the malicious attachments, but I did and I got three unique files (VirusTotal results [1] [2] [3]).
Analysis of these documents is pending, but the payload is probably meant to be the Dridex banking trojan.
UPDATE
I managed to coax a Hybrid Analysis of two of the documents [1] [2] showing download locations of:
nasha-pasika.lviv.ua/786585d/08g7g6r56r.exe
arm.tv/786585d/08g7g6r56r.exe
This executable is the same one dropped in this spam run. It currently has a VirusTotal detection rate of 6/54.
Ironically, that Ukrainian site is on 91.217.91.18 (PE Ivanov Vitaliy Sergeevich, Ukraine) and it is the only time I have seen a legitimate site in the block.. and it has been hacked. In any case, I would recommend blocking the entire 91.217.90.0/23, legitimate sites or not.
Those two Hybrid Analysis reports give a whole bunch of callback IPs between them:
88.208.35.71 (Advanced Hosters B.V., NL)
216.117.130.191 (Internet Technologies Inc., US)
116.12.92.107 (Lanka Comunication Services, Sri Lanka)
46.32.243.144 (Heart Internet VPS, UK)
195.96.228.199 (Bulgarian Academy Of Sciences, Bulgaria)
161.53.144.25 (Veleuciliste U Sibeniku, Croatia)
41.38.18.230 (TE Data, Egypt)
Despite the fact that the attachments aren't working, I would expect to see those IPs in use for other badness and I would recommend blocking them.
Recommended blocklist:
88.208.35.71
216.117.130.191
116.12.92.107
46.32.243.144
195.96.228.199
161.53.144.25
41.38.18.230
From: cm_sharpscan@yahoo.co.ukThe attachment is meant to be in the format username@domain.tld_201601151152_097144.doc but due to an apparent error in the MIME formatting, saving it results in a file in the format _username@domain.tld_201601151152_097144.doc_ 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7_CQAGAAAAAAAAAAAAAAACAAAAKgAAAAAA.doc_0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7_CQAGAAAAAAAAAAAAAAACAAAAKgAAAAAA instead
Date: 15 January 2016 at 10:12
Subject: Scanned image from MX-2640N
Reply to: cm_sharpscan@yahoo.co.uk [cm_sharpscan@yahoo.co.uk]
Device Name: Not Set
Device Model: MX-2640N
Location: Not Set
File Format: DOC (Medium)
Resolution: 200dpi x 200dpi
Attached file is scanned image in Microsoft Word format.
The next problem for the bad guys is that they have added a leading space to the Base 64 encoded section with the attachment in. This means that unless the mail client somehow fixes the error, the attachments are harmless (VirusTotal results [1] [2] [3] [4]).
Now, not many people are going to wade in and fix the malicious attachments, but I did and I got three unique files (VirusTotal results [1] [2] [3]).
Analysis of these documents is pending, but the payload is probably meant to be the Dridex banking trojan.
UPDATE
I managed to coax a Hybrid Analysis of two of the documents [1] [2] showing download locations of:
nasha-pasika.lviv.ua/786585d/08g7g6r56r.exe
arm.tv/786585d/08g7g6r56r.exe
This executable is the same one dropped in this spam run. It currently has a VirusTotal detection rate of 6/54.
Ironically, that Ukrainian site is on 91.217.91.18 (PE Ivanov Vitaliy Sergeevich, Ukraine) and it is the only time I have seen a legitimate site in the block.. and it has been hacked. In any case, I would recommend blocking the entire 91.217.90.0/23, legitimate sites or not.
Those two Hybrid Analysis reports give a whole bunch of callback IPs between them:
88.208.35.71 (Advanced Hosters B.V., NL)
216.117.130.191 (Internet Technologies Inc., US)
116.12.92.107 (Lanka Comunication Services, Sri Lanka)
46.32.243.144 (Heart Internet VPS, UK)
195.96.228.199 (Bulgarian Academy Of Sciences, Bulgaria)
161.53.144.25 (Veleuciliste U Sibeniku, Croatia)
41.38.18.230 (TE Data, Egypt)
Despite the fact that the attachments aren't working, I would expect to see those IPs in use for other badness and I would recommend blocking them.
Recommended blocklist:
88.208.35.71
216.117.130.191
116.12.92.107
46.32.243.144
195.96.228.199
161.53.144.25
41.38.18.230
Malware spam: "Your order #7738326 From The Safety Supply Company" / Orders - TSSC [Orders@thesafetysupplycompany.co.uk]
This fake financial spam does not come from The Safety Supply Company but is instead a simple forgery with a malicious attachment:
UPDATE 1
This Hybrid Analysis on the first sample shows it downloading from:
149.156.208.41/~s159928/786585d/08g7g6r56r.exe
That download IP belongs to Academic Computer Centre CYFRONET AGH, Poland. This executable also seems to commicate with:
216.117.130.191 (Advanced Internet Technologies Inc., US)
41.38.18.230 (TE Data, Egypt)
5.9.37.137 (Hetzner, Germany)
I have now seen another version of the DOC file [VT 4/54] which has similar characteristics.
Dropped file MD5:
9138e36d70ab94349558c61e92ab9ae2
Attachment MD5s:
d5a25f10cb91e0afd00f970cee7c5f01
985bb69a8c292d90a5bd51b3dbec76ac
UPDATE 2
This related spam run gives some additional download locations:
nasha-pasika.lviv.ua/786585d/08g7g6r56r.exe
arm.tv/786585d/08g7g6r56r.exe
Sources also tell me that there is one at:
204.197.242.166/~topbun1/786585d/08g7g6r56r.exe
Recommended blocklist:
88.208.35.71
216.117.130.191
116.12.92.107
46.32.243.144
195.96.228.199
161.53.144.25
41.38.18.230
204.197.242.166
149.156.208.41
From: Orders - TSSC [Orders@thesafetysupplycompany.co.uk]So far I have seen just a single sample, with an attachment Order.doc which has a VirusTotal detection rate of 4/55. Analysis of this document is pending, however it is likely to be the Dridex banking trojan.
Date: 15 January 2016 at 09:06
Subject: Your order #7738326 From The Safety Supply Company
Dear Customerl
Thank you for your recent purchase.
Please find the details of your order through The Safety Supply Company attached to this email.
Regards,
The Sales Team
UPDATE 1
This Hybrid Analysis on the first sample shows it downloading from:
149.156.208.41/~s159928/786585d/08g7g6r56r.exe
That download IP belongs to Academic Computer Centre CYFRONET AGH, Poland. This executable also seems to commicate with:
216.117.130.191 (Advanced Internet Technologies Inc., US)
41.38.18.230 (TE Data, Egypt)
5.9.37.137 (Hetzner, Germany)
I have now seen another version of the DOC file [VT 4/54] which has similar characteristics.
Dropped file MD5:
9138e36d70ab94349558c61e92ab9ae2
Attachment MD5s:
d5a25f10cb91e0afd00f970cee7c5f01
985bb69a8c292d90a5bd51b3dbec76ac
UPDATE 2
This related spam run gives some additional download locations:
nasha-pasika.lviv.ua/786585d/08g7g6r56r.exe
arm.tv/786585d/08g7g6r56r.exe
Sources also tell me that there is one at:
204.197.242.166/~topbun1/786585d/08g7g6r56r.exe
Recommended blocklist:
88.208.35.71
216.117.130.191
116.12.92.107
46.32.243.144
195.96.228.199
161.53.144.25
41.38.18.230
204.197.242.166
149.156.208.41
Thursday, 14 January 2016
Malware spam: "Message from local network scanner" / Scann16011310150.docf
This fake document scan comes with a malicious attachment.
Attached is a file Scann16011310150.docf which comes in at least five different versions (VirusTotal results [1] [2] [3] [4] [5]). The file is a Word document, despite the extension.. I don't think anything opens DOCF files by default. This is maybe an error, or perhaps some sort of social engineering, or perhaps simply a way to bypass security filters.
Analysis of these documents is pending (check back later), however this is likely to be the Dridex banking trojan. Please check back.
UPDATE 1
Analysis is running slowing this morning, however this Hybrid Analysis shows one of the samples in action, downloading a binary from:
www.willsweb.talktalk.net/786h5g4/9787g4fr4.exe
This has a detection rate of 3/55. That same analysis reports that it phones home to:
188.138.88.14 (PlusServer AG, France)
I strongly recommend that you block traffic to that IP.
UPDATE 2
These two Malwr reports [1] [2] reveal some additional download locations:
www.gooutsidethebox.net/786h5g4/9787g4fr4.exe
199.59.58.162/~admin1/786h5g4/9787g4fr4.exe
From: jpaoscanner@victimdomain.tldThere is no body text, and the email appears to come from within the victim's own domain, but this is just a simple forgery.
Date: 14 January 2016 at 10:45
Subject: Message from local network scanner
Attached is a file Scann16011310150.docf which comes in at least five different versions (VirusTotal results [1] [2] [3] [4] [5]). The file is a Word document, despite the extension.. I don't think anything opens DOCF files by default. This is maybe an error, or perhaps some sort of social engineering, or perhaps simply a way to bypass security filters.
Analysis of these documents is pending (check back later), however this is likely to be the Dridex banking trojan. Please check back.
UPDATE 1
Analysis is running slowing this morning, however this Hybrid Analysis shows one of the samples in action, downloading a binary from:
www.willsweb.talktalk.net/786h5g4/9787g4fr4.exe
This has a detection rate of 3/55. That same analysis reports that it phones home to:
188.138.88.14 (PlusServer AG, France)
I strongly recommend that you block traffic to that IP.
UPDATE 2
These two Malwr reports [1] [2] reveal some additional download locations:
www.gooutsidethebox.net/786h5g4/9787g4fr4.exe
199.59.58.162/~admin1/786h5g4/9787g4fr4.exe
Wednesday, 13 January 2016
Malware spam: "Order 0046/033777 [Ref. MARKETHILL CHURCH]" / "JOHN RUSSELL [John.Russell@yesss.co.uk]"
This fake financial spam does not come from Yesss Electrical but is instead a simple forgery with a malicious attachment:
UPDATE
These Malwr reports [1] [2] [3] [4] [5] indicate the macro in the document downloads from one of the following locations:
amyzingbooks.com/l9k7hg4/b4387kfd.exe
webdesignoshawa.ca/l9k7hg4/b4387kfd.exe
powerstarthosting.com/l9k7hg4/b4387kfd.exe
This binary has a detection rate of 4/53. The Hybrid Analysis shows the malware phoning home to:
85.25.200.103 (PlusServer AG, Germany)
I recommend that you block traffic to that IP.
From JOHN RUSSELL [John.Russell@yesss.co.uk]There are at least five different versions of the attachment 033777 [Ref. MARKETHILL CHURCH].doc (VirusTotal results [1] [2] [3] [4] [5]). Analysis of these documents is pending, however it is likely to be the Dridex banking trojan.
Date Wed, 13 Jan 2016 20:11:43 +0600
Subject Order 0046/033777 [Ref. MARKETHILL CHURCH]
John Russell
Branch Manager
Yesss Electrical
44 Hilsborough Old Road
Lisburn
BT27 5EW
T: 02892 606 758
M: 07854362314
F: 02892 606 759
E: John.Russell@yesss.co.uk
[EW Award winner 2015]
[Electrical Times Award winner 2014]
[EW Award winner 2014]
[YESSS gains all three BSI industry standards]
[Order a YESSS Book NOW!]
[Our YESSS motto]
[Visit the YESSS website] [Visit the YESSS Facebook
page] [Visit the YESSS Twitter page]
[Visit the YESSS Youtube page]
[Visit the YESSS Linkedin page]
[Visit the YESSS Pinterest page]
UPDATE
These Malwr reports [1] [2] [3] [4] [5] indicate the macro in the document downloads from one of the following locations:
amyzingbooks.com/l9k7hg4/b4387kfd.exe
webdesignoshawa.ca/l9k7hg4/b4387kfd.exe
powerstarthosting.com/l9k7hg4/b4387kfd.exe
This binary has a detection rate of 4/53. The Hybrid Analysis shows the malware phoning home to:
85.25.200.103 (PlusServer AG, Germany)
I recommend that you block traffic to that IP.
Malware spam: "EDI Remittance Alert (BACS-E18020)"
This fake financial spam comes with a malicious attachment:
From: Clare ClementsSo far I have seen just one sample of this spam, and it was malformed so it was not possible to open the attachment without decoding it first. When done, this gave a file FILENAME.DOC with a detection rate of 3/54. The Malwr report for the document is inconclusive, but it most likely attempts to load the Dridex banking trojan.
Date: 13 January 2016 at 15:05
Subject: EDI Remittance Alert (BACS-E18020)
Hi!
Please find attached EDI BACS Remittance NO. E18020
Regards,
Clare Clements
Malware spam: "Martine Hill [mhill@riverford.co.uk]" / "INV 30/12/15"
This fake financial spam does not come from Riverford Organic Farms Ltd but is instead a simple forgery with a malicious attachment:
From: Martine Hill [mhill@riverford.co.uk]Attached is a file ROV_Report.doc which I have seen just a single variant of, this a VirusTotal detection rate of 2/55. The Malwr report indicates that the payload is identical to the one found in this spam run.
Date: 13 January 2016 at 09:17
Subject: INV 30/12/15
Kind regards
Martine Hill
Finance Assistant
Bank details
Sort code 30 98 69
Account no 00849096
Riverford Organic Farms
01803 227323
image001
Riverford Organic Farms Ltd, Wash Barn, Buckfastleigh, TQ11 0JU
Registered in England No. 3731570
Malware spam: "Scanned Document" / "Color @ MRH Solicitors [color58@yahoo.co.uk]"
This fake scanned document has a malicious attachment:
armandosofsalem.com/l9k7hg4/b4387kfd.exe
trinity.ad-ventures.es/l9k7hg4/b4387kfd.exe
188.226.152.172/l9k7hg4/b4387kfd.exe
This dropped binary has a detection rate of 4/55. It is unclear what this does as in the Malwr report it throws an error. The payload is almost definitely the Dridex banking trojan, and even if this version is faulty then it is likely that the malware will be fixed shortly.
Dropped file MD5:
a8a42968a9bb21bd030416c32cd34635
Attachment MD5s:
bc207bf8ad4c2dae92af9d333ca21346
829036f46897feed35381741d5b3872e
0fcc9eb9af29b5525b30d53755a413d9
e61abe8ad3d7f8b6bcf010ea6b51c0e3
29fe81a081127fa55fbab0ae1accaf05
UPDATE
The Hybrid Analysis of the dropped binary shows attempted network traffic to the following domains:
exotelyxal.com
akexadyzyt.com
ekozylazal.com
These are hosted on an IP worth blocking:
158.255.6.128 (Mir Telematiki Ltd, Russia)
From: Color @ MRH Solicitors [color58@yahoo.co.uk]The attached file is named ScannedDocs122151.xls which comes in at least five different versions (VirusTotal results [1] [2] [3] [4] [5]). The Malwr reports for these documents [6] [7] [8] [9] [10] show the malicious macro contained within downloading a malware executable from:
Date: 13 January 2016 at 07:53
Subject: Scanned Document
Find the attachment for the scanned Document
armandosofsalem.com/l9k7hg4/b4387kfd.exe
trinity.ad-ventures.es/l9k7hg4/b4387kfd.exe
188.226.152.172/l9k7hg4/b4387kfd.exe
This dropped binary has a detection rate of 4/55. It is unclear what this does as in the Malwr report it throws an error. The payload is almost definitely the Dridex banking trojan, and even if this version is faulty then it is likely that the malware will be fixed shortly.
Dropped file MD5:
a8a42968a9bb21bd030416c32cd34635
Attachment MD5s:
bc207bf8ad4c2dae92af9d333ca21346
829036f46897feed35381741d5b3872e
0fcc9eb9af29b5525b30d53755a413d9
e61abe8ad3d7f8b6bcf010ea6b51c0e3
29fe81a081127fa55fbab0ae1accaf05
UPDATE
The Hybrid Analysis of the dropped binary shows attempted network traffic to the following domains:
exotelyxal.com
akexadyzyt.com
ekozylazal.com
These are hosted on an IP worth blocking:
158.255.6.128 (Mir Telematiki Ltd, Russia)
Tuesday, 12 January 2016
Malware spam: "Sales Invoice SIN040281. From Charbonnel et Walker Limited" / "Corinne Young [corinne.young@charbonnel.co.uk]"
This fake financial email does not come from Charbonnel et Walker Limited but is instead a simple forgery with a malicious attachment.
An error in the way the spam is formatted gives an attachment that appears to be named "SIN040281.DOC (note the leading quote marks) which will save on a Windows system as _SIN040281.DOC. I have only seen one variant of this attachment with a detection rate of 6/55 and for which the Malwr report indicates that this is the Dridex banking trojan (botnet 220) as described here.
From: Corinne Young [corinne.young@charbonnel.co.uk]
Date: 12 January 2016 at 10:42
Subject: Sales Invoice SIN040281. From Charbonnel et Walker Limited
Kind Regards
Corinne Young
Assistant Accountant
Charbonnel et Walker Ltd, Medway Road, Tunbridge Wells, TN1 2FD
Tel: +44 (0)1892 559019 Fax: +44 (0)1892 559015
An error in the way the spam is formatted gives an attachment that appears to be named "SIN040281.DOC (note the leading quote marks) which will save on a Windows system as _SIN040281.DOC. I have only seen one variant of this attachment with a detection rate of 6/55 and for which the Malwr report indicates that this is the Dridex banking trojan (botnet 220) as described here.
Malware spam: "Copy of our CREDIT NOTE number 00000962064" / "SANTAN [sfernandes@simplesimon.co.uk]"
This fake financial spam has a malicious attachment:
From: SANTAN [sfernandes@simplesimon.co.uk]Both the "From" and "To" fields are fake. Attached is a document fax00065189.doc that I have seen two versions of (VirusTotal results [1] [2]). The Malwr reports for those two files [3] [4] show that this is trying to deliver the Dridex banking trojan, as described here.
To: POLLY [olga@bayley-sage.co.uk]
Date: 12 January 2016 at 10:55
Subject: Copy of our CREDIT NOTE number 00000962064
This message contains 1 pages in Microsoft Word format.
Malware spam: "Payment Advice - 0002014343" / Bhavani Gullolla [bhavani.gullolla1@wipro.com]
This fake financial spam is not from Wipro but is instead a simple forgery with a malicious attachment.
hotpointrepair.info/u5y4g3/76u54g.exe
This download location is characteristic of the Dridex 220 botnet. The downloaded binary has a detection rate of 4/55 and this Malwr report shows network traffic to:
199.231.189.9 (Interserver Inc, US)
I strongly recommend that you block this IP address.
Payload MD5:
b3d8604fee5ae6091928486c1fb11625
Attachment MD5s (there are probably others!)
3a73b39a8f84f96d8f9c19b4b88080c7
8fa6a1d7daebb9244db8458d99a45b38
UPDATE
There is an additional download location of:
per-forms.com/u5y4g3/76u54g.exe
The payload has changed but still has similar characteristics to before [VirusTotal report / Malwr report].
Payload MD5:
aaf2070192032e4e4cde5e16d0d7fcce
From: Bhavani Gullolla [bhavani.gullolla1@wipro.com]The attachment is randomly-named in the format 9705977867.doc which I have seen in two different versions with detection rates of 5/54 [1] [2], and according to the Malwr reports [3] [4] they both download a malicious binary from:
Date: 12 January 2016 at 09:51
Subject: Payment Advice - 0002014343
Dear Sir/Madam,
This is to inform you that we have initiated the electronic payment through our Bank.
Please find attached payment advice which includes invoice reference and TDS deductions if any.
Transaction Reference :
Vendor Code :9189171523
Company Code :WT01
Payer/Remitters Reference No :63104335
Beneficiary Details :43668548/090666
Paymet Method : Electronic Fund Transfer
Payment Amount :1032.00
Currency :GBP
Processing Date :11/01/2016
For any clarifications on the payment advice please mail us at wipro.vendorhelpdesk@wipro.com OR
call Toll Free in India 1800-200-3199 between 9:00 am to 5:00 pm IST (Mon-Fri) OR contact person indicated in the purchase order.
Regards,
VHD Signature
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
hotpointrepair.info/u5y4g3/76u54g.exe
This download location is characteristic of the Dridex 220 botnet. The downloaded binary has a detection rate of 4/55 and this Malwr report shows network traffic to:
199.231.189.9 (Interserver Inc, US)
I strongly recommend that you block this IP address.
Payload MD5:
b3d8604fee5ae6091928486c1fb11625
Attachment MD5s (there are probably others!)
3a73b39a8f84f96d8f9c19b4b88080c7
8fa6a1d7daebb9244db8458d99a45b38
UPDATE
There is an additional download location of:
per-forms.com/u5y4g3/76u54g.exe
The payload has changed but still has similar characteristics to before [VirusTotal report / Malwr report].
Payload MD5:
aaf2070192032e4e4cde5e16d0d7fcce
Malware spam: "Lattitude Global Volunteering - Invoice - 3FAAB65"
This fake financial spam comes from random senders and with different reference details. It does not come from Lattitude Global Volunteering but is instead a simple forgery with a malicious attachment.
31.131.20.217/shifaki/indentification.php
185.125.32.39/shifaki/indentification.php
5.34.183.41/shifaki/indentification.php
5.149.254.84/shifaki/indentification.php
This is characteristic of spam sent by the Dridex 120 botnet. All the IPs can be considered to be malicious and should be blocked.
31.131.20.217 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
185.125.32.39 (Sembol Internet Hizmetleri ve Dis Ticaret Ltd, Turkey)
5.34.183.41 (ITL Company, Ukraine)
5.149.254.84 (Fortunix Networks, Netherlands)
A file kfc.exe is dropped onto the target system which has a detection rate of 6/52 and an MD5 of 8cfaf90bf572e528c2759f93c89b6986. Those previous Malwr reports indicate that it phones home to a familiar IP of:
78.47.119.93 (Hetzner, Germany)
Recommended blocklist:
78.47.119.93
31.131.20.217
185.125.32.39
5.34.183.41
5.149.254.84
From: Darius GreenI have personally only seen two samples so far with detection rates of 2/55 [1] [2] . These two Malwr reports [3] [4] plus some private sources indicate that the attachments download from the following locations:
Date: 12 January 2016 at 09:33
Subject: Lattitude Global Volunteering - Invoice - 3FAAB65
Dear customer,
Please find attached a copy of your final invoice for your placement in Canada.
This invoice needs to be paid by the 18th January 2016.
Due to recent increases on credit card charges, we prefer that you make a payment for your invoice on a bank transfer our bank details are.
You must provie your invoice number or account reference when you make the payment in order for us to allocate the payment to your account.
Account Name: Lattitude Global Volunteering
Bank: Barclays Bank
Sort Code: 20-71-03
Account No. 20047376
IBAN: GB13BARC20710320047376
SWIFBIC: BARCGB22
Kind regards
Luis Robayo
Accounts Department
Lattitude Global Volunteering
T: +44 (0) 118 956 2903
finance@lattitude.org.uk
WWW.lattitude.org.uk
Visit us on Facebook
Follow us on Twitter
Lattitude Global Volunteering is a UK registered international youth development charity (No. 272761), a company limited by guarantee (No. 01289296) and a member of BOND (British Overseas NGOs for Development).
31.131.20.217/shifaki/indentification.php
185.125.32.39/shifaki/indentification.php
5.34.183.41/shifaki/indentification.php
5.149.254.84/shifaki/indentification.php
This is characteristic of spam sent by the Dridex 120 botnet. All the IPs can be considered to be malicious and should be blocked.
31.131.20.217 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
185.125.32.39 (Sembol Internet Hizmetleri ve Dis Ticaret Ltd, Turkey)
5.34.183.41 (ITL Company, Ukraine)
5.149.254.84 (Fortunix Networks, Netherlands)
A file kfc.exe is dropped onto the target system which has a detection rate of 6/52 and an MD5 of 8cfaf90bf572e528c2759f93c89b6986. Those previous Malwr reports indicate that it phones home to a familiar IP of:
78.47.119.93 (Hetzner, Germany)
Recommended blocklist:
78.47.119.93
31.131.20.217
185.125.32.39
5.34.183.41
5.149.254.84
Monday, 11 January 2016
Malware spam: "Invoice No 39830 from CHEVRON ALARMS LTD A/C LA 6130AD38"
This fake invoice comes with a malicious attachment:
From: Tracy SimpsonThere are several different versions with different attachment, with low detection rates [1] [2] [3] and the Malwr reports [4] [5] [6] indicate that this is the same Dridex banking trojan as described here.
Date: 11 January 2016 at 12:56
Subject: Invoice No 39830 from CHEVRON ALARMS LTD A/C LA 6130AD38
Please ensure that you keep us informed of any changes in your Bank Account details as you may need to set up a new Direct Debit mandate.
If you no longer wish to continue payment via Direct Debit after the minimum term of 12 months has elapsed then Payments can also be made via our website www.chevronalarms.com, click on payments tab and choose to make a payment via PayPal. Please quote the Invoice number 39830 and your Account Number LA MOT01.
Alternatively you can call the office on 01784 438822 and pay directly by Debit or Credit Card.
Please note that we make no additional charge for payment by Visa or MasterCard Credit or Debit cards, however there will be a 4% handling charge if payment is made via American Express.
Bank Payments may also be made to HSBC Bank PLC - Egham Branch
Sort Code 40-20-34
Account 6130AD38
Please quote reference 39830
Kind regards
Chevron Alarms
Tel: 01784 438822
Fax: 01784 438970
Email: service@chevronalarms.com
Chevron Alarms
Unit 10, Eversley Way, Thorpe Industrial Estate, Egham, Surrey, TW20 8RG
Registered in England: Registration No. 6143385, VAT No. 4388019 32
Subscribe to:
Posts (Atom)