From: Hilton CastanedaI haven't had time to do any analysis on the b0rked attachments. I will try to post some updates later.
Date: 25 January 2016 at 09:40
Subject: Direct Debit Mandate from NORTH ATLANTIC SMALL COS INV TST
Good morning
Please attached Direct Debit Mandate from NORTH ATLANTIC SMALL COS INV TST;
complete, sign and scan return at your earliest convenience.
Kind regards,
Hilton Castaneda
TEAM SUPPORT
NORTH ATLANTIC SMALL COS INV TST
t. 01897 566 634
f. 0856 814 1637
==========
From: Stanford Rich
Date: 25 January 2016 at 08:39
Subject: Direct Debit Mandate from SUNPLUS TECHNOLOGY CO LTD
Good morning
Please attached Direct Debit Mandate from SUNPLUS TECHNOLOGY CO LTD;
complete, sign and scan return at your earliest convenience.
Kind regards,
Stanford Rich
TEAM SUPPORT
SUNPLUS TECHNOLOGY CO LTD
t. 01899 146 416
f. 0818 208 3763
==========
From: Jewell Chavez
Date: 25 January 2016 at 09:38
Subject: Direct Debit Mandate from STELLAR DIAMONDS PLC
Good morning
Please attached Direct Debit Mandate from STELLAR DIAMONDS PLC;
complete, sign and scan return at your earliest convenience.
Kind regards,
Jewell Chavez
TEAM SUPPORT
STELLAR DIAMONDS PLC
t. 01723 748 961
f. 0849 101 7259
==========
From: Louisa Nielsen
Date: 25 January 2016 at 09:08
Subject: Direct Debit Mandate from HALMA
Good morning
Please attached Direct Debit Mandate from HALMA;
complete, sign and scan return at your earliest convenience.
Kind regards,
Louisa Nielsen
TEAM SUPPORT
HALMA
t. 01522 109 616
f. 0868 158 4319
Monday, 25 January 2016
Malware spam FAIL: "Direct Debit Mandate from COMPANY NAME"
This morning's Dridex spam run spoofs a set of random companies. However, the attachment is malformed and cannot be downloaded.. at least in the samples I have seen.
Labels:
Dridex,
Malware,
Spam,
Viruses. DOC
Friday, 22 January 2016
Malware spam: "UKMail 988271023 tracking information" / no-reply@ukmail.com
This fake delivery email is not from UKMail but is instead a simple forgery with a malicious attachment:
The attachment is named 988271023-PRCL.xls which appears to come in at least two variants (VirusTotal [1] [2]) which according to these Malwr reports [3] [4] downloads a malicious executable from:
www.stijnminne.be/ghf56sgu/0976gg.exe
raeva.com.ua/ghf56sgu/0976gg.exe
This binary has a detection rate of 4/54. It is the same payload as found in this earlier spam run.
From: no-reply@ukmail.com
Date: 22 January 2016 at 12:14
Subject: UKMail 988271023 tracking information
UKMail Info!
Your parcel has not been delivered to your address January 21, 2016, because nobody was at home.
Please view the information about your parcel, print it and go to the post office to receive your package.
Warranties
UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service.
Where the law prevents such exclusion and implies conditions and warranties into this contract,
where legally permissible the liability of UKMail for breach of such condition,
guarantee or warranty is limited at the option of UKMail to either supplying the Service again or paying the cost of having the service supplied again.
If you don't receive a package within 30 working days UKMail will charge you for it's keeping.
You can find any information about the procedure and conditions of parcel keeping in the nearest post office.
Best regards,
UKMail
The attachment is named 988271023-PRCL.xls which appears to come in at least two variants (VirusTotal [1] [2]) which according to these Malwr reports [3] [4] downloads a malicious executable from:
www.stijnminne.be/ghf56sgu/0976gg.exe
raeva.com.ua/ghf56sgu/0976gg.exe
This binary has a detection rate of 4/54. It is the same payload as found in this earlier spam run.
Malware spam: "Message from KONICA_MINOLTA" / MFD / scanner / SKM_4050151222162800.doc
At the moment there is a heavy spam run pushing the Dridex banking trojan, pretending to be from a multifunction device or scanner.
www.showtown-danceband.de/ghf56sgu/0976gg.exe
ausonia-feng-shui.de/ghf56sgu/0976gg.exe
gahal.cz/ghf56sgu/0976gg.exe
This binary has a detection rate of 1/54 and that VirusTotal report plus this Malwr report show it phoning home to:
192.241.207.251 (Digital Ocean Inc., US)
I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan, sent by botnet 220.
Subject: Message from KONICA_MINOLTAThe spam appears to come from within the victim's own domain, from one of the following email addresses:
Subject: Message from MFD
Subject: Message from scanner
MFD@victimdomain.tldThis is just a simple forgery. It doesn't mean that you organisation has been compromised.. it really is a very simple trick. In all cases the attachment is named SKM_4050151222162800.doc, which appears to come in three versions (VirusTotal [1] [2] [3]). The Malwr reports [4] [5] [6] indicate executable download locations at:
scanner@victimdomain.tld
KONICA_MINOLTA@victimdomain.tld
www.showtown-danceband.de/ghf56sgu/0976gg.exe
ausonia-feng-shui.de/ghf56sgu/0976gg.exe
gahal.cz/ghf56sgu/0976gg.exe
This binary has a detection rate of 1/54 and that VirusTotal report plus this Malwr report show it phoning home to:
192.241.207.251 (Digital Ocean Inc., US)
I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan, sent by botnet 220.
Thursday, 21 January 2016
Malware spam: "Gompels Healthcare Ltd Invoice" / Gompels Healthcare ltd [salesledger@gompels.co.uk]
This fake financial spam does not come from Gompels Healthcare Ltd but is instead a simple forgery with a malicious attachment.
return-gaming.de/8h75f56f/34qwj9kk.exe
phaleshop.com/8h75f56f/34qwj9kk.exe
That marks it out as Dridex 220, similar to this spam run. However, the executable has change from earlier and now has an MD5 of 95a1e02587182abfa66fdcf921ee476e and a zero detection rate at VirusTotal. However, the malware still phones home to the same IP of 216.224.175.92 as before.
From: Gompels Healthcare ltd [salesledger@gompels.co.uk]The attachment is named fax00375039.doc and it comes in at least two different versions (VirusTotal [1] [2]) and the Malwr reports [3] [4] show download locations from:
Date: 21 January 2016 at 12:57
Subject: Gompels Healthcare Ltd Invoice
Hello
Please see attached pdf file for your invoice
Thank you for your business
return-gaming.de/8h75f56f/34qwj9kk.exe
phaleshop.com/8h75f56f/34qwj9kk.exe
That marks it out as Dridex 220, similar to this spam run. However, the executable has change from earlier and now has an MD5 of 95a1e02587182abfa66fdcf921ee476e and a zero detection rate at VirusTotal. However, the malware still phones home to the same IP of 216.224.175.92 as before.
Malware spam FAIL: "Credit UB 7654321 dated 15.01.15 £12,345.67 - COMPANY NAME"
This fake financial spam is meant to have a malicious attachment. Company names, senders, values and reference numbers vary, but here are some examples:
HPscanner3F3AB@ebene-events.net_250371.doc
HPscanner5CF83@hacettepe.edu.tr_8760547.doc
Sharp87143@autoprivoz.ru_3718432.doc
HPscanner7180F@instrument-pily.ru_1587243.doc
In all the samples I have seen, the attachment is not formatted correctly and cannot be downloaded. Typically it will appears to be a 0 byte file with no name, but results might vary depending on the mail client.
After manually decoding the malware from the Base 64 section in the email, I found two distinct versions of the attachment (VirusTotal [1] [2]) and the Malwr reports [3] [4] show a malicious download from:
5.189.216.101/dropbox/download.php
The payload is the Dridex banking trojan (botnet 120) as described here.
From: Inez RhodesExample attachment names are:
Date: 21 January 2016 at 12:33
Subject: Credit UB 1130909 dated 15.01.15 £26,842.15 - EXOVA GRP PLC
Hi,
Please find attached Debit Note UB11309096 which will offset UB 11309097
Due to a system error UB11309097 was raised with an invoice date being 20/01/15, when it should have been 22/01/16
Regards,
Inez Rhodes
Management Accountant - EXOVA GRP PLC
t. 01523 171 662
f. 0888 650 6709
==========
From: Cortez Bird
Date: 21 January 2016 at 12:40
Subject: Credit UB 1793159 dated 15.01.15 £77,538.80 - BARCLAYS PLC
Hi,
Please find attached Debit Note UB17931596 which will offset UB 17931597
Due to a system error UB17931597 was raised with an invoice date being 20/01/15, when it should have been 22/01/16
Regards,
Cortez Bird
Management Accountant - BARCLAYS PLC
t. 01662 855 271
f. 0882 284 7942
==========
From: Autumn Pierce
Date: 21 January 2016 at 11:39
Subject: Credit UB 1911242 dated 15.01.15 £73,910.50 - GLOBAL PORTS INVESTMENTS PLC
Hi,
Please find attached Debit Note UB19112426 which will offset UB 19112427
Due to a system error UB19112427 was raised with an invoice date being 20/01/15, when it should have been 22/01/16
Regards,
Autumn Pierce
Management Accountant - GLOBAL PORTS INVESTMENTS PLC
t. 01361 953 147
f. 0883 597 3136
HPscanner3F3AB@ebene-events.net_250371.doc
HPscanner5CF83@hacettepe.edu.tr_8760547.doc
Sharp87143@autoprivoz.ru_3718432.doc
HPscanner7180F@instrument-pily.ru_1587243.doc
In all the samples I have seen, the attachment is not formatted correctly and cannot be downloaded. Typically it will appears to be a 0 byte file with no name, but results might vary depending on the mail client.
After manually decoding the malware from the Base 64 section in the email, I found two distinct versions of the attachment (VirusTotal [1] [2]) and the Malwr reports [3] [4] show a malicious download from:
5.189.216.101/dropbox/download.php
The payload is the Dridex banking trojan (botnet 120) as described here.
Malware spam: admin@replacementkeys.co.uk / INVOICEPaid_100114000.xls
This spam has a malicious attachment. It does not come from admin@replacementkeys.co.uk but is instead a simple forgery with a malicious attachment.
Attached is a file INVOICEPaid_100114000.xls of which I have only seen a single variant. The VirusTotal detection rate is 4/53 and the Malwr report indicates a download location from:
montaj-klimat.ru/8h75f56f/34qwj9kk.exe
The binary dropped is identical to the one in this earlier spam run and it leads to the Dridex banking trojan.
From Replacement Keys [admin@replacementkeys.co.uk]
Date Thu, 21 Jan 2016 17:15:08 +0530
Subject =?utf-8?B?TmV3IE9yZGVyICMgMTAwMTE0MDAw?=
Order Received!
We will send you another email when it has been dispatched . If you have any questions about your order please reply to this email. Your order confirmation is below. Thank you for ordering from us.
Thank you again,
Replacement Keys
Attached is a file INVOICEPaid_100114000.xls of which I have only seen a single variant. The VirusTotal detection rate is 4/53 and the Malwr report indicates a download location from:
montaj-klimat.ru/8h75f56f/34qwj9kk.exe
The binary dropped is identical to the one in this earlier spam run and it leads to the Dridex banking trojan.
Malware spam: "statement - payment due" / [accounts@phoenixorganics.ltd.uk]
This fake financial spam does not come from Phoenix Organics Ltd but is instead a simple forgery with a malicious attachment.
phaleshop.com/8h75f56f/34qwj9kk.exe
This is one of the locations used in this earlier spam run, and it marks it out as being the Dridex banking trojan spammed out by botnet 220.
From [accounts@phoenixorganics.ltd.uk]I have only seen one sample of this, with an attachment named Customer statement.doc - this has a VirusTotal detection rate of 2/54 and the Malwr report shows a download from:
Date Thu, 21 Jan 2016 13:09:43 +0300
Subject statement - payment due
Please can you send a payment to clear the August invoices.
Thank you
Regards
Liz
Phoenix Organics Ltd
phaleshop.com/8h75f56f/34qwj9kk.exe
This is one of the locations used in this earlier spam run, and it marks it out as being the Dridex banking trojan spammed out by botnet 220.
Malware spam: "Your Telephone Bill Invoices & Reports" / "The Billing Team" [noreply@callbilling.co.uk]
This fake financial spam has a malicious attachment.
bolmgren.com/8h75f56f/34qwj9kk.exe
That is one of the locations found with this earlier spam run, and the payload is the Dridex banking trojan.
From "The Billing Team" [noreply@callbilling.co.uk]I have only seen a single sample of this email, with an attachment Invoice_316103_Jul_2013.doc which has a detection rate of 2/53. The Malwr report for that document shows a download location of:
Date Thu, 21 Jan 2016 11:44:19 +0100
Subject Your Telephone Bill Invoices & Reports
Please see the attached Telephone Bill & Reports.
Please use the contact information found on the invoice if you wish to contact your
service provider.
This message was sent automatically.
**********************************************************************************
If you have received this e-mail in error, please delete the message from your computer.
This e-mail and any attachments may contain information which is private and confidential
and should only be read by those persons to whom it is addressed. Your Call Billing
Provider accepts no liability for loss or damage suffered by any person arising from
the use of this e-mail.
The unauthorised use, disclosure or copying of this e-mail or any information contained
within, is strictly prohibited. Any views expressed in this e-mail are those of the
individual sender, except where the message states otherwise.
We take reasonable precautions to ensure our e-mails are virus free. We recommend
that you subject any incoming e-mail to your own virus checking procedure.
Please see the full terms and conditions on your call billing providers web site.
These are subject to change and we recommend that you review them periodically.
bolmgren.com/8h75f56f/34qwj9kk.exe
That is one of the locations found with this earlier spam run, and the payload is the Dridex banking trojan.
Malware spam: "invoices@ebillinvoice.com" / "201552 ebill"
This fake financial email comes with a malicious attachment.
There are at least three different versions of the attachment 8652_201552.doc (VirusTotal results [1] [2] [3])
for which the Malwr reports [4] [5] [6] indicate downloads from the following locations:
phaleshop.com/8h75f56f/34qwj9kk.exe
bolmgren.com/8h75f56f/34qwj9kk.exe
return-gaming.de/8h75f56f/34qwj9kk.exe
montaj-klimat.ru/8h75f56f/34qwj9kk.exe [spotted here]
This binary has an MD5 of f23c05c44949c6c8b05ab54fbd9cee40 and a detection rate of 2/54. Those reports indicate that it phones home to.
216.224.175.92 (SoftCom America Inc., US)
A contact (thank you) also pointed out some other locations the malware phones home to
216.59.16.175 (Immedion LLC, US / Virtuaserver Informica Ltda, Brazil)
216.117.130.191 (Advanced Internet Technologies Inc., US)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
The payload is the Dridex banking trojan, being sent by botnet 220.
Recommended blocklist:
216.224.175.92
216.59.16.175
216.117.130.191
202.69.40.173
From invoices@ebillinvoice.com
Date Thu, 21 Jan 2016 15:13:36 +0530
Subject 201552 ebill
Customer No : 8652
Email address : [redacted]
Attached file name : 8652_201552.DOC
Dear customer
Please find attached your invoice for 201552.
To manage your account online - please visit Velocity.
https://www.velocitycardmanagement.com
Alternatively please contact us on:
invoices@ebillinvoice.com
Yours sincerely
Louisa Brown
DCI
Ground Floor, Unit 2,
Galway Technology Park,
Parkmore, Galway, H91KFD3
Company Reg No : 233354
======================================================
This email, its content and any files transmitted with
it are confidential and intended solely for the use of
the individual(s) to whom it is addressed.
If you are not the intended recipient, be advised that
you have received this email in error and that any use,
dissemination, forwarding, printing or copying of
this email is strictly prohibited.
======================================================
There are at least three different versions of the attachment 8652_201552.doc (VirusTotal results [1] [2] [3])
for which the Malwr reports [4] [5] [6] indicate downloads from the following locations:
phaleshop.com/8h75f56f/34qwj9kk.exe
bolmgren.com/8h75f56f/34qwj9kk.exe
return-gaming.de/8h75f56f/34qwj9kk.exe
montaj-klimat.ru/8h75f56f/34qwj9kk.exe [spotted here]
This binary has an MD5 of f23c05c44949c6c8b05ab54fbd9cee40 and a detection rate of 2/54. Those reports indicate that it phones home to.
216.224.175.92 (SoftCom America Inc., US)
A contact (thank you) also pointed out some other locations the malware phones home to
216.59.16.175 (Immedion LLC, US / Virtuaserver Informica Ltda, Brazil)
216.117.130.191 (Advanced Internet Technologies Inc., US)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
The payload is the Dridex banking trojan, being sent by botnet 220.
Recommended blocklist:
216.224.175.92
216.59.16.175
216.117.130.191
202.69.40.173
Malware spam: "Invoice from COMPANY NAME - 123456"
This spam comes from random senders at random companies with random reference numbers. The attachment is named to reflect those values. For example:
5.189.216.101/dropbox/download.php
This IP belongs to LLHost Inc, Netherlands. You can assume that the IP is malicious.
The dropped binary is named rare.exe, and has an MD5 e6f67b358009f66f1a4840c1eff19c2e of and a detection rate of 4/53. The Malwr report for this shows it phoning home to:
198.50.234.211 (OVH, Canada)
The payload is the Dridex banking trojan, and this behaviour is characteristic of Botnet 120.
Recommended blocklist:
198.50.234.211
5.189.216.101
From: Bettye DavidsonSo far I have seen a couple of different versions of the attachment (VirusTotal [1] [2]) which according to Malwr [3] [4] both download a malicious binary from:
Date: 21 January 2016 at 08:24
Subject: Invoice from DRAGON OIL - 8454985
Please find attached a copy of your invoice
Many Thanks
Bettye Davidson
DRAGON OIL
Attachment: DRAGON OIL - inv8454985.DOC
================
From: Charlotte Atkinson
Date: 21 January 2016 at 08:23
Subject: Invoice from GULF FINANCE HOUSE - 40610
Please find attached a copy of your invoice
Many Thanks
Charlotte Atkinson
GULF FINANCE HOUSE
Attachment: GULF FINANCE HOUSE - inv40610.DOC
================
From: Lucien Drake
Date: 21 January 2016 at 09:26
Subject: Invoice from HYDROGEN GROUP PLC - 477397
Please find attached a copy of your invoice
Many Thanks
Lucien Drake
HYDROGEN GROUP PLC
Attachment: HYDROGEN GROUP PLC - inv477397.doc
5.189.216.101/dropbox/download.php
This IP belongs to LLHost Inc, Netherlands. You can assume that the IP is malicious.
The dropped binary is named rare.exe, and has an MD5 e6f67b358009f66f1a4840c1eff19c2e of and a detection rate of 4/53. The Malwr report for this shows it phoning home to:
198.50.234.211 (OVH, Canada)
The payload is the Dridex banking trojan, and this behaviour is characteristic of Botnet 120.
Recommended blocklist:
198.50.234.211
5.189.216.101
Wednesday, 20 January 2016
Malware spam: " Invoice / Credit Note Express Newspapers (S174900)" / georgina.kyriacoumilner@express.co.uk
This fake financial spam is not from Express Newspapers but is instead a simple forgery with a malicious attachment:
www.helios.vn/98jh6d5/89hg56fd.exe [404 error]
202.191.112.60/~n02022-1/98jh6d5/89hg56fd.exe
www.lassethoresen.com/98jh6d5/89hg56fd.exe
These are the same locations as seen here, but now the payload has changed to one with an MD5 of 34781d4f8654f9547cc205061221aea5 and a detection rate of 1/54. The malware still phones home to
216.224.175.92 (SoftCom America Inc, US) which I recommend you block.
From: georgina.kyriacoumilner@express.co.ukAttached is a file S174900.DOC which comes in at least three different versions (VirusTotal results [1] [2] [3]) and the Malwr reports for those [4] [5] [6] shows the following download locations:
Reply-To: hannah.johns@express.co.uk
Date: 20 January 2016 at 14:28
Subject: Invoice / Credit Note Express Newspapers (S174900)
Please find attached Invoice(s) / Credit Note(s) from Express Newspapers.
If you have any queries with it, or to request that future documents get sent to a different email address for processing, please contact:
hannah.johns@express.co.uk or telephone 020 8612 7149.
N.B. Please do not reply to this email address as it is not checked.
Kind Regards,
Express Newspapers
Finance Dept - 4th Floor,The Northern & Shell Building
Number 10 Lower Thames Street, London EC3R 6EN
****************************************************************************
Any views or opinions are solely those of the author and do not necessarily represent those of Express Newspapers
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material.If you are not the intended recipient of this message please do not read ,copy, use or disclose this communication and notify the sender immediately. It should be noted that any review, retransmission, dissemination or other use of, or taking action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. E-mail communications may be monitored.
****************************************************************************
EXN2006
www.helios.vn/98jh6d5/89hg56fd.exe [404 error]
202.191.112.60/~n02022-1/98jh6d5/89hg56fd.exe
www.lassethoresen.com/98jh6d5/89hg56fd.exe
These are the same locations as seen here, but now the payload has changed to one with an MD5 of 34781d4f8654f9547cc205061221aea5 and a detection rate of 1/54. The malware still phones home to
216.224.175.92 (SoftCom America Inc, US) which I recommend you block.
Malware spam: "Emailing: 120205 Letter-response A3 2-2" / Tim Speed [Tim@plan4print.co.uk]
Tim Speed is really a super name for a printer. Better for a racing driver, but still good for a printer. Anyway, this fake financial email isn't from Tim or Plan4Print (aka Excel Colour Print) at all, but is a simple forgery with a malicious attachment.
Attached is a file 120205 Letter-response A3 2-2.doc of which I have seen just a single sample, with a VirusTotal result of 3/54. The Malwr report shows it downloading from:
www.lassethoresen.com/98jh6d5/89hg56fd.exe
This is the same malicious binary as used in this earlier attack. The payload is the Dridex banking trojan.
From Tim Speed [Tim@plan4print.co.uk]
Date Wed, 20 Jan 2016 14:33:24 +0300
Subject Emailing: 120205 Letter-response A3 2-2
Hi
Please find estimate attached for Letter-response A3 2-2
Kind regards
Tim Speed
Estimator / Account Handler
Tel: 0115 944 3377 Ext 104
Click here to check out our BRAND NEW website
Goshawk Road, Quarry Hill Industrial Park, Ilkeston, Derbyshire, DE7 4RG
Tel: 0115 944 3377 Fax: 0115 944 3388 Web: www.plan4print.co.uk
Email: tim@plan4print.co.uk
Attached is a file 120205 Letter-response A3 2-2.doc of which I have seen just a single sample, with a VirusTotal result of 3/54. The Malwr report shows it downloading from:
www.lassethoresen.com/98jh6d5/89hg56fd.exe
This is the same malicious binary as used in this earlier attack. The payload is the Dridex banking trojan.
Malware spam: "Tax Invoice IN092649"/ Karin Edwards [karin.edwards@batonlockuk.com]
This fake financial spam is not from Baton Lock Ltd but is instead a simple forgery with a malicious attachment.
Attached is a file Tax Invoice IN092649.DOC which comes in at least two different versions (VirusTotal results [1] [2]) which according to these Malwr reports [3] [4] downloads from:
www.lassethoresen.com/98jh6d5/89hg56fd.exe
www.helios.vn/98jh6d5/89hg56fd.exe
The dropped file is Dridex, the same as used in this campaign.
From: Karin Edwards [karin.edwards@batonlockuk.com]
Date: 20 January 2016 at 09:34
Subject: Tax Invoice IN092649
Tax Invoice IN092649 from Baton Lock Ltd.
Best Regards
Karin Edwards
Baton Lock Ltd
Attached is a file Tax Invoice IN092649.DOC which comes in at least two different versions (VirusTotal results [1] [2]) which according to these Malwr reports [3] [4] downloads from:
www.lassethoresen.com/98jh6d5/89hg56fd.exe
www.helios.vn/98jh6d5/89hg56fd.exe
The dropped file is Dridex, the same as used in this campaign.
Malware spam FAIL: "Your compliment (ref: 398864)" / Rachael Love [env9729health@aylesburyvaledc.gov.uk]
This spam is not from Aylesbury Vale District Council but is instead a simple forgery with a malicious attachment.
Attached is a file 398864 - Letter to recipient@domain.doc which contains the intended victim's email address. However - due to an error by the bad guys - none of the samples I have seen are downloadable.
The intended payload is probably the Dridex banking trojan, much like this.
From Rachael Love [env9729health@aylesburyvaledc.gov.uk]I was not able to access the body text of this message. Note that the sender's email address varies slightly from message to message.
Date Wed, 20 Jan 2016 13:28:21 +0430
Subject Your compliment (ref: 398864)
Attached is a file 398864 - Letter to recipient@domain.doc which contains the intended victim's email address. However - due to an error by the bad guys - none of the samples I have seen are downloadable.
The intended payload is probably the Dridex banking trojan, much like this.
Malware spam: "Your device is on its way" / "O2 Lease [O2BusinessContracts@o2.com]"
This fake financial email is not from O2 but is instead a simple forgery with a malicious attachment. The attachment may not be downloadable in all cases due to an error in formatting.
Attached is a file CCAConfirmedAgreement-07540353301-1052136.DOC which (if you can download it) comes in at least two versions (VirusTotal results [1] [2]) and the Malwr reports for those [3] [4] show the malicious document downloading from:
www.lassethoresen.com/98jh6d5/89hg56fd.exe
202.191.112.60/~n02022-1/98jh6d5/89hg56fd.exe
www.helios.vn/98jh6d5/89hg56fd.exe [from this spam run]
There are probably some other download locations too. The dropped binary has an MD5 of 7db792adc71e9dc0f6bb28a5f802b7ab and a detection rate of 4/54. Those Malwr reports and the VirusTotal report indicate network traffic to:
216.224.175.92 (SoftCom America Inc., US)
I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan, and the characteristics look like botnet 220.
UPDATE
The payload for today's Dridex 220 runs has been updated to 34781d4f8654f9547cc205061221aea5 with a detection rate of 1/54.
From: O2 Lease [O2BusinessContracts@o2.com]
Date: 20 January 2016 at 09:05
Subject: Your device is on its way
This electronic message contains information from Telefonica UK or Telefonica Europe which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email.
HelloGreat news, you've accepted the O2 Lease terms and conditions and the hire agreement.We've put your order through. So we'll be sending your new device out in the next few days.Best regards
O2 Customer Service You can find out more about being on O2 at o2.co.uk/hello
For the latest updates and news, why not follow us on or
This email is sent from Telefónica UK Limited, a company registered in England and Wales. Registered office: 260 Bath Road, Slough, Berkshire, SL1 4DX.
Switchboard: +44 (0)113 272 2000
Email: feedback@o2.com
Telefonica UK Limited 260 Bath Road, Slough, Berkshire SL1 4DX Registered in England and Wales: 1743099. VAT number: GB 778 6037 85
Telefonica Europe plc 260 Bath Road, Slough, Berkshire SL1 4DX Registered in England and Wales: 05310128. VAT number: GB 778 6037 85
Telefonica Digital Limited 260 Bath Road, Slough, Berkshire SL1 4DX Registered in England and Wales: 7884976. VAT number: GB 778 6037 85
Attached is a file CCAConfirmedAgreement-07540353301-1052136.DOC which (if you can download it) comes in at least two versions (VirusTotal results [1] [2]) and the Malwr reports for those [3] [4] show the malicious document downloading from:
www.lassethoresen.com/98jh6d5/89hg56fd.exe
202.191.112.60/~n02022-1/98jh6d5/89hg56fd.exe
www.helios.vn/98jh6d5/89hg56fd.exe [from this spam run]
There are probably some other download locations too. The dropped binary has an MD5 of 7db792adc71e9dc0f6bb28a5f802b7ab and a detection rate of 4/54. Those Malwr reports and the VirusTotal report indicate network traffic to:
216.224.175.92 (SoftCom America Inc., US)
I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan, and the characteristics look like botnet 220.
UPDATE
The payload for today's Dridex 220 runs has been updated to 34781d4f8654f9547cc205061221aea5 with a detection rate of 1/54.
Malware spam FAIL: "Emailed Order Confirmation - 94602:1" / "DANE THORNTON" [dane@direct-electrical.com]
This fake financial spam is meant to have a malicious attachment.
From "DANE THORNTON" [dane@direct-electrical.com]Attached is a file Order_94602~1.doc which in all the samples I have seen has been attached incorrectly to the email, and it will either appear to be zero length or garbage. The payload is meant to be the Dridex banking trojan, but this is the latest of several incidents lately where the bad guys have screwed up. Shame.
Date Wed, 20 Jan 2016 16:31:21 +0800
Subject Emailed Order Confirmation - 94602:1
--
DANE THORNTON
Tuesday, 19 January 2016
Malware spam: Remittance Advice For Invoice 40502329 From C-Tech
This fake financial spam is not from C-Tech but is instead a simple forgery with a malicious attachment.
http://46.17.100.209/aleksei/smertin.php
http://31.131.20.217/aleksei/smertin.php
These IPs can be considered to be malicious and are allocated to:
46.17.100.209 (Mir Telematiki Ltd, Netherlands)
31.131.20.217 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
The attack is very similar to this Dridex 120 spam run earlier today, except the download locations and dropped binary has changed to this one [VT] with an MD5 of c19959c2d372a7d40d4ba0f99745f114. According to this Malwr report, it phones home to the same evil IP address of 198.50.234.211 as before.
From: Mary MathisThe sender's name, references and name of the attachment will vary, the attachment itself is named something similar to remittance_advice40502329.doc. So far I have seen two versions with detection rates of 3/54 [1] [2] and the Malwr reports [3] [4] indicate a download from the following locations:
Date: 19 January 2016 at 12:21
Subject: Remittance Advice For Invoice 40502329 From C-Tech
Dear Accounts
Please find attached our current remittance advice.
Kind Regards
Mary Mathis MAAT
Accounts Assistant
Tel: +44 (0)1903 268599
Fax: +44 (0)1903 795454
http://46.17.100.209/aleksei/smertin.php
http://31.131.20.217/aleksei/smertin.php
These IPs can be considered to be malicious and are allocated to:
46.17.100.209 (Mir Telematiki Ltd, Netherlands)
31.131.20.217 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
The attack is very similar to this Dridex 120 spam run earlier today, except the download locations and dropped binary has changed to this one [VT] with an MD5 of c19959c2d372a7d40d4ba0f99745f114. According to this Malwr report, it phones home to the same evil IP address of 198.50.234.211 as before.
Malware spam: "A/c 1762881 - Remittance Advice" / "Industrial Electronic Wiring Ltd"
This fake financial spam does not come from Industrial Electronic Wiring Ltd but is instead a simple forgery with a malicous attachment.
91.223.88.206/victor/onopko.php
5.34.183.127/victor/onopko.php
179.60.144.19/victor/onopko.php
This drops a file aarab.exe which is identical to the payload in this spam run.
From: Herb Castro [CastroHerb70608@essgee.com]Sender names, references and values vary. Attachments are named in a format remit_acc-1603154.doc and have detection rates of about 2/55 [1] [2] [3]. The Malwr reports [4] [5] [6] shows the documents communicating with:
Date: 19 January 2016 at 10:29
Subject: A/c 1762881 - Remittance Advice
Hi
Please see attached remittance.
Can you please supply a copy of invoice 06438632660 dated 19.11.15., which we appear to be missing.
Regards
Herb Castro
Industrial Electronic Wiring Ltd
91.223.88.206/victor/onopko.php
5.34.183.127/victor/onopko.php
179.60.144.19/victor/onopko.php
This drops a file aarab.exe which is identical to the payload in this spam run.
Malware spam: "More scans" / admin / DOC201114-201114-001.DOC
This fake scanned document appears to come from admin@ the victim's own domain. There is no body text in the email.
www.cnbhgy.com/786585d/08g7g6r56r.exe
This download location was used in this earlier spam run but the payload has now changed, however it is still the Dridex banking trojan.
From: admin [admin@victimdomain.tld]I have seen just a single sample with a document named DOC201114-201114-001.DOC which has a detection rate of 4/53 and which according to this Malwr report downloads from:
Date: 19 January 2016 at 09:42
Subject: More scans
www.cnbhgy.com/786585d/08g7g6r56r.exe
This download location was used in this earlier spam run but the payload has now changed, however it is still the Dridex banking trojan.
Malware spam: "Remittance Advice 1B859E37" / "Bellingham + Stanley"
This fake financial does not come from Bellingham + Stanley but is instead a simple forgery with a malicious attachment. Reference numbers and sender names will vary.
http://179.60.144.19/victor/onopko.php
http://5.34.183.127/victor/onopko.php
Those IPs are:
179.60.144.19 (Veraton Projects, Netherlands)
5.34.183.127 (ITL Company, Ukraine)
A file aarab.exe is dropped (MD5 05219ea0aefedc873cecaa1f5100c617) [VT 4/53] which appears to communicate with:
198.50.234.211 (OVH, Canada)
I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan, this attack is consistent with botnet 120.
UPDATE 2
This other Dridex 120 spam run uses different download locations:
46.17.100.209/aleksei/smertin.php
31.131.20.217/aleksei/smertin.php
The dropped "aarab.exe" file is also different, with an MD5 of c19959c2d372a7d40d4ba0f99745f114 and a detection rate of just 2/54.
Recommended blocklist:
198.50.234.211
179.60.144.19
5.34.183.127
91.223.88.206
46.17.100.209
31.131.20.217
From: Adeline Harrison [HarrisonAdeline20@granjacapital.com.br]I have seen at least four different variations of the attachment, named in the format remittance_advice14DDA974.doc (VirusTotal results [1] [2] [3] [4]). These Malwr reports [5] [6] [7] [8] show those samples communicating with:
Date: 19 January 2016 at 09:45
Subject: Remittance Advice 1B859E37
For the attention of Accounts Receivable,
We are attaching an up to date remittance advice detailing the latest payment on your account.
Please contact us on the email address below if you would like your remittance sent to a different email address, or have any queries regarding your remittance.
Kind regards,
Adeline Harrison
Best Regards,
Adeline Harrison
Senior Finance Assistant, Bellingham + Stanley
Bellingham + Stanley
Longfield Road
Tunbridge Wells
Kent, TN2 3EY
United Kingdom
Office: +44 (0) 1892 500406
Fax: +44 (0) 1892 543115
HarrisonAdeline20@granjacapital.com.br
www.bellinghamandstanley.com
http://179.60.144.19/victor/onopko.php
http://5.34.183.127/victor/onopko.php
Those IPs are:
179.60.144.19 (Veraton Projects, Netherlands)
5.34.183.127 (ITL Company, Ukraine)
UPDATE 1: this related spam run also downloads from:
91.223.88.206/victor/onopko.php
This is allocted to "Private Person Anton Malyi" in Ukraine.
A file aarab.exe is dropped (MD5 05219ea0aefedc873cecaa1f5100c617) [VT 4/53] which appears to communicate with:
198.50.234.211 (OVH, Canada)
I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan, this attack is consistent with botnet 120.
UPDATE 2
This other Dridex 120 spam run uses different download locations:
46.17.100.209/aleksei/smertin.php
31.131.20.217/aleksei/smertin.php
The dropped "aarab.exe" file is also different, with an MD5 of c19959c2d372a7d40d4ba0f99745f114 and a detection rate of just 2/54.
Recommended blocklist:
198.50.234.211
179.60.144.19
5.34.183.127
91.223.88.206
46.17.100.209
31.131.20.217
Subscribe to:
Posts (Atom)