Sponsored by..

Wednesday, 3 February 2016

Malware spam: "Invoice MOJU-0939" / Accounts [message-service@post.xero.com]

This fake financial spam comes with a malicious attachment. It does not come from Moju Ltd but is instead a simple forgery with a malicious attachment:

From:    Accounts [message-service@post.xero.com]
Date:    3 February 2016 at 09:04
Subject:    Invoice MOJU-0939

Hi,

Here's invoice MOJU-0939 for 47.52 GBP. For last weeks delivery.

The amount outstanding of 47.52 GBP is due on 25 Feb 2016.

If you have any questions, please let us know.

Thanks,
Moju Ltd
I have only seen one sample of this, with an attachment named Invoice MOJU-0939.zip containing a malicious script invoice_id4050638124.js that has detection rate of 2/53 and which according to this Malwr report downloads a binary from:

www.ni-na27.wc.shopserve.jp/43rf3dw/34frgegrg.exe

This payload is the same as seen in this concurrent spam run.

Malware spam: "GS Toilet Hire - Invoice (SI-523) for £60.00, due on 28/02/2016"

This fake financial spam does not come from GS Toilet Hire but is instead a simple forgery with a malicious attachment. In other words, if you open it.. you will be in the sh*t.

From:    GS Toilet Hire [donotreply@sageone.com]
Date:    3 February 2016 at 09:12
Subject:    GS Toilet Hire - Invoice (SI-523) for £60.00, due on 28/02/2016

Good morning

Thank you for your business - we're pleased to attach your invoice in PDF. Please bear in mind that if we are in the area the price is reduced to £15+vat per visit.

Full details, including payment terms, are included.
If you have any questions, please don't hesitate to contact us.

Kind regards,

Linda Smith
Office, GS Toilet Hire

Direct enquiries
Glenn Johnson
07930 391 011
I have seen two samples of this, both with an attachment named Sales_Invoice_SI-523_GS Toilet Hire.pdf.zip which contains a malicious Javascript file with a name like invoice_id6395788111.js. The two samples that I have seen have low detection rates [1] [2] containing some highly obfuscated scripts [3] [4] which according to these analyses [5] [6] [7] downloads a binary from one of the following locations:

obstipatie.nu/43rf3dw/34frgegrg.exe
bjhaggerty.com/43rf3dw/34frgegrg.exe

(also www.ni-na27.wc.shopserve.jp/43rf3dw/34frgegrg.exe from this related spam run)

This type of download indicates that this is Dridex 220, it is unusual for it to be spammed out with a Javascript-in-ZIP format rather than a malicious Office macro. The binary has a detection rate of 5/49 and this Hybrid Analysis shows the malware phoning home to:

91.239.232.145 (Hostpro Ltd, Ukraine)

I strongly recommend that you block all traffic to that IP, and possibly the 91.239.232.0/22 block in which it resides.

UPDATE

The same spam is being sent out with a more traditional DOC attachment, Sales_Invoice_SI-523_GS Toilet Hire.doc which comes in at least two different variants (VirusTotal [1] [2]) which according to these Malwr reports [3] [4] downloads a binary from the following locations:

xinchunge.com/xinchunge.com/43rf3dw/34frgegrg.exe
taukband.com/43rf3dw/34frgegrg.exe

(also best-drum-set.com/43rf3dw/34frgegrg.exe from this later spam run)

This is a different binary from before, with a detection rate of 4/53. It still phones home to the same location.

Tuesday, 2 February 2016

Malware spam: "RB0081 INV2372039" / Sales invoice [salesinvoice@leathams.co.uk]

This fake financial spam does not come from Leathams but is instead a simple forgery with a malicious attachment.

From:    Sales invoice [salesinvoice@leathams.co.uk]
Reply-To:    "no-reply@leathams.co.uk" [no-reply@leathams.co.uk]
Date:    2 February 2016 at 13:15
Subject:    RB0081 INV2372039

Dear Sir/Madam,

Please find attached your sales invoice(s) for supplied goods.  Please process for payment as soon as possible.

In the event that you have a query - please direct your query as follows;

For the following please contact our Nottingham Office on 020 7635 3190 or email NottinghamTelesales@Leathams.co.uk:

                Incorrect items delivered
                Quality Complaint
                Goods Damaged in Transit
                Price query against goods

For the following please contact Credit Control on 020 7635 4049 or email creditcontrol@leathams.co.uk:

                Delivery Shortages

Please note that queries reported outside of our terms of business may not be accepted.

Many thanks and kind regards

Leathams Credit Control
2 Rollins Street, London, SE15 1EW
Tel: +44 (0)20 7635 4049
Email: creditcontrol@leathams.co.uk

DID YOU KNOW LEATHAMS IS GOING PAPERLES IN 2015 - Please note that Leathams will be emailing all invoices and staments in 2015.  Kindly confirm by return email what email address we should send your future invocies and statements to.

IMPORTANT TERMS OF BUSINESS - Please note the following time critical terms;

Delivery Queries - You must notifiy Leathams in writing of any defects within 2 working days stating precisly its reason(s) for rejection.  Failure to do so within this time frame will result in any claims being rejected.

From:    Sales invoice <salesinvoice@leathams.co.uk>
Reply-to:    "no-reply@leathams.co.uk" <no-reply@leathams.co.uk>
Date:    2 February 2016 at 13:15
Subject:    RB0081 INV2372039

Invoice Queries - You must notifiy Leathams in writing of any descrepancies within 7 working days.  If a query is not resolved in time then it is expected that you settle what you believe to be correct, queries should not hold up any payments to Leathams.

Late Payment Fees - Late payment of invoices will result in penalty interest of 8% above the bank of England base rate. We also reserve the right to apply a late payment fee in accordance with UK Late Payment Legislation.

Size of unpaid debt             Sum to be paid to the creditor

Up to ?999.99                        ?40.00

?1,000.00 to ?9,999.99          ?70.00

?10,000.00 or more               ?100.00


Follow us on Twitter <http://twitter.com/LeathamsLtd>
Connect on LinkedIn <http://www.linkedin.com/company/leathams-ltd/>


www.leathams.co.uk <http://www.leathams.co.uk/>


_____________________________________________________________________

This e-mail and any attachments are confidential and intended solely for the addressee. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.

Internet communications are not guaranteed to be secure or virus-free.

Leathams Ltd does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by Leathams Ltd for operational or business reasons.

Any opinion or other information in this e-mail or its attachments, that does not relate to the business of Leathams Ltd, is personal to the sender and is not given or endorsed by Leathams Ltd.

Leathams Ltd. Registered in England (registered no. 1689381).
Registered Office: 227-255 Ilderton Road, London SE15 1NS, United Kingdom

 -------------------------------------------------------------------------------------------------------------
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
_____________________________________________________________________

Attached is a malicious document Leathams Ltd_INV2372039.doc which comes in at least two different versions (VirusTotal [1] [2]). The Malwr analysis for one of those samples shows a download from:

fillingsystem.com/5h4g/0oi545gfgf.exe

This is similar to a spam run earlier, but now the payload has changed to one with a detection rate of precisely zero (MD5 0d37099eaff9c507c782fd81c715255b). Analysis of this is pending. The payload is the Dridex banking trojan.

UPDATE 

Automated analysis [1] [2] shows the executable phoning home to:

91.239.232.145 (Hostpro Ltd, Ukraine)

I strongly recommend blocking traffic to that IP, or the whole /22 in which it resides.

Malware spam: "PURCHASE 02/02/2016 D1141" / sales@flowervision.co.uk

This spam does not come from Flower Vision but is instead a simple forgery with a malicious attachment:

From:    sales@flowervision.co.uk
Date:    2 February 2016 at 08:28
Subject:    PURCHASE 02/02/2016 D1141


FLOWERVISION






Internet Order Confirmation

Page
1/1


















Colli

Quan
Total
Price
Product
S1
S2
S3
Del.Day
Total
Remark












1
x
25
25
0.32
Hyacinthus Or Delft Blue
30
0
22
160129
8.00
Flowers London
4
x
1
4
5.50
Oasis Spray Paint Voilet
0
0
0
160129
22.00
Sundries London
2
x
10
20
1.37
Syringa V Primrose
90
0
45
160129
27.40
Flowers London
1
x
50
50
0.25
Tulipa En Antarctica
40
46
33
160129
12.50
Flowers London
1
x
50
50
0.34
Veronica Clea Diana
60
0
44
160129
17.00
Flowers London





149

86.90

Attached is a file SALES_D1141_02022016_164242.xls which I have seen just one version of, with a detection rate of 1/50. This Hybrid Analysis shows the macro in the spreadsheet downloading from:

www.torinocity.it/5h4g/0oi545gfgf.exe

This binary has a detection rate of 5/51, and is the same payload as seen earlier.

Malware spam: "Order Dispatch: AA207241" / aalabels [customercare97125@aalabels.com]

This fake financial spam is not from aalabels.com but is instead a simple forgery with a malicious attachment.

From:    aalabels [customercare97125@aalabels.com]
Date:    2 February 2016 at 07:06
Subject:    Order Dispatch: AA207241

Order Dispatch Confirmation

Dear Customer,

This email is to confirm that your order number AA207241 has been dispatched from our warehouse today and your order will be with you the following working day.

Your order has been dispatched via DPD and your order tracking number is 1160173211.

A VAT invoice for your order has been attached in pdf format for your reference.

Code     Product Name     Qty     QS     QB     No of Packs
AAS021WTP     Matt White - Permanent A4 Sheet Labels - 21 Rectangle - 63.5 mm x 38.1 mm     1000     1000     0     10

QS: Quantity Shipped
QB: Quantity Backed

If you need to contact us about this order then please call our customer care team on 01733 588 390 or email customercare@aalabels.com

Thank you for your order.

Kind regards,

AA Labels

www.aalabels.com
23 Wainman Road
Woodston
Peterborough
PE2 7BU
United Kingdom
Phone:  01733 588390
Fax: 01733 425106

The sender's email address and detail will vary from email to email, however they all follow the same format. Attached is a file with a name along the lines of invoice_AA123456.doc which comes in at least three different versions (VirusTotal results [1] [2] [3]). These Malwr reports [4] [5] [6] show the macro in the documents downloading from one of the folllowing locations:

timestyle.com.au/5h4g/0oi545gfgf.exe
hebenstreit.us.com/5h4g/0oi545gfgf.exe
fillingsystem.com/5h4g/0oi545gfgf.exe


This binary has a detection rate of 5/52. That VirusTotal result and those Malwr reports show it phoning home to:

91.239.232.145 (Hostpro Ltd, Ukraine)

I would strongly recommend blocking traffic to that IP, or indeed you can probably block the entire 91.239.232.0/22 range will no ill effects.

Monday, 1 February 2016

Malware spam: Scanned image from copier@victimdomain.tld

This fake document scan appears to originate from within the victim's own domain, but it doesn't. Instead this is a simple forgery with a malicious attachment.

From:    copier@victimdomain.tld
Date:    1 February 2016 at 12:11
Subject:    Scanned image from copier@victimdomain.tld

Reply to: copier@victimdomain.tld [copier@victimdomain.tld]
Device Name: COPIER
Device Model: MX-2310U

File Format: DOC (Medium)
Resolution: 200dpi x 200dpi

Attached file is scanned document in DOC format.
Use Microsoft(R)Word(R) of Microsoft Systems Incorporated to view the document.

I have seen two different versions of the attached document, named in a format copier@victimdomain.tld_20160129_084903.doc. The detection rate for both is 6/54 [1] [2] and the Malwr report for one of them shows the macro downloading from:

dulichando.org/u56gf2d/k76j5hg.exe

This executable has a detection rate of 4/53 and the Hybrid Analysis reports that it phones home to:

185.24.92.236 (System Projects LLC, Russia)

I strongly recommend that you block traffic to that IP. The payload is Dridex, as seen here.

Malware spam: "Order Processed." / NoReply-Duration Windows [noreply@duration.co.uk]

This fake financial spam does not come from Duration Windows but is instead a simple forgery with a malicious attachment:

From     NoReply-Duration Windows [noreply@duration.co.uk]
Date     Mon, 01 Feb 2016 04:21:03 -0500
Subject     Order Processed.

Dear Customer,

Please find details for your order attached as a PDF to this e-mail.

Regards,
Duration Windows
Sales Department

___________________________________________________________

This email has been scanned by FilterCloud Email Security.
For more information please visit http://filtercloud.co.uk

I have only seen a single sample of this spam with an attachment V9568HW.doc which has a detection rate of 5/54.

Analysis of the attachment is pending, however this is likely to be the Dridex banking trojan.

UPDATE

The Malwr analysis shows that the document downloads a malicious executable from:

www.peopleond-clan.de/u56gf2d/k76j5hg.exe

This has a VirusTotal detection rate of 4/54 and those reports plus this Hybrid Analysis show it phoning home to:

185.24.92.236 (System Projects LLC, Russia)

I strongly recommend that you block traffic to that IP.

Malware spam: Invoice 123456 from COMPANY NAME

This spam appears to originate from a variety of companies with different references. It comes with a malicious attachment.
From:    Marisol Barrett [BarrettMarisol04015@victimdomain.tld]
Date:    1 February 2016 at 08:39
Subject:    Invoice 48014 from JKX OIL & GAS

Dear Customer,

Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Marisol Barrett

JKX OIL & GAS

=========================

From:    Oswaldo Browning [BrowningOswaldo507@victimdomain.tld]
Date:    1 February 2016 at 09:38
Subject:    Invoice 865272 from J P MORGAN PRIVATE EQUITY LTD

Dear Customer,

Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Oswaldo Browning

J P MORGAN PRIVATE EQUITY LTD

=========================

From:    Pansy Haley [HaleyPansy95@victimdomain.tld]
Date:    1 February 2016 at 08:50
Subject:    Invoice 95101 from HWANGE COLLIERY CO

Dear Customer,

Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Pansy Haley

HWANGE COLLIERY CO


=========================

From:    Ruth Martinez [MartinezRuth43950@victimdomain.tld]
Date:    1 February 2016 at 08:51
Subject:    Invoice 27051 from ESSENDEN PLC

Dear Customer,

Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Ruth Martinez

ESSENDEN PLC

The attachment is in the format INV19 - 865272.doc (it always starts with "INV19" and then has the fake reference number). There are at least three different versions (VirusTotal [1] [2] [3]).

Analysis is pending, however this is likely to be the Dridex banking trojan.

UPDATE 1

A different variant of the spam email is going on, which appears to have roughly the same payload:
From:    Heather Mcfadden [McfaddenHeather71@victimdomain.tld]
Date:    1 February 2016 at 10:09
Subject:    Transaction and Payment Confirmation from HAYWARD TYLER GROUP PLC

Hello,

The attached document is a transaction payment confirmation from HAYWARD TYLER GROUP PLC in the amount of GBP 1,879.86.

Your transaction reference number is A3546F.

Kind Regards,

Heather Mcfadden

HAYWARD TYLER GROUP PLC
UPDATE 2

The Malwr analysis of three of the attachments [1] [2] [3] shows download locations of:

31.131.24.203/indiana/jones.php
31.41.45.23/indiana/jones.php


These IPs can be considered as malicious, and belong to:

31.131.24.203 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
31.41.45.23 (Relink LTD, Russia)


This drops a malicious binary with a detection rate of 2/53. This phones home to:

185.24.92.229 (System Projects, LLC, Russia)

 This spam appears to be the Dridex banking trojan (botnet 120 perhaps).

Recommended blocklist:
185.24.92.229
31.131.24.203
31.41.45.23

Friday, 29 January 2016

Malware spam: "Despatch Note FFGDES34309" / Foyle Food Group Limited [accounts@foylefoodgroup.com]

This fake financial spam is not from Foyle Food Group Limited but is instead a simple forgery with a malicious attachment:
From     Foyle Food Group Limited [accounts@foylefoodgroup.com]
Date     Fri, 29 Jan 2016 17:58:37 +0700
Subject     Despatch Note FFGDES34309

Please find attached Despatch Note FFGDES34309
I haven't had the chance to do the analysis myself, so I am relying on the analysis of a contact (thank you). The attachment is FFGDES34309.doc which comes in three different variants, downloading from:

jjcoll.in/56gf/g545.exe
romana.fi/56gf/g545.exe
clickchiropractic.com/56gf/g545.exe


This has an MD5 of d88c2bed761c7384d0e8657477af9da7 and a detection rate of 6/49. According to my contact, this phones home to:

85.143.166.200 (Pirix, Russia)
103.245.153.70 (OrionVM, Australia)
144.76.73.3 (Hetzner, Germany)


This drops the Dridex banking trojan. The behaviour is consistent with botnet 220.

Recommended blocklist:
85.143.166.200
103.245.153.70
144.76.73.3


Malware spam: "Quick Question" / Resume.rtf

This spam leads to malware:

From:    Laurena Washabaugh [washabaugh.1946@rambler.ru]
Date:    29 January 2016 at 10:10
Subject:    Quick Question
Signed by:    rambler.ru

What's going on?
I was visting your website on 1/29/2016 and I'm very interested.
I'm currently looking for work either full time or as a intern to get experience in the field.
Please review my CV and let me know what you think.

Best regards,

--
Laurena Washabaugh 

The attachment is named Resume.rtf, but is it actually a DOCX file with a malicious macro [pastebin], the document has a VirusTotal detection rate of 9/54. I haven't had time to do a detailed analysis, but these automated analyses [1] [2] [3] show it phoning home to:

89.248.166.131 (Quasi Networks, Seychelles)

I recommend that you block traffic to that IP. I'm not sure about what this drops, possibly ransomware. No doubt someone reading this will :)

Wednesday, 27 January 2016

Malware spam: "Enterprise Invoices No.91786" / Enterprise Security Distribution (South West) Limited

This fake financial spam does not come from Enterprise Security Distribution (South West) Limited but is instead a simple forgery with a malicious attachment.

From:    Vicki Harvey
Date:    27 January 2016 at 15:30
Subject:    Enterprise Invoices No.91786

Please find attached invoice/s from
Enterprise Security Distribution (South West) Limited
Unit 20, Avon Valley Business Park
St Annes Road
St Annes
Bristol
BS4 4EE


Vicki Harvey
Accountant
Tel: 0117 977 5373

The name of the sender and references will vary. There seem to be several different versions of the attachment named in a format Canon-mf30102A13A@altel.kz_2615524.xls, some example results at VirusTotal are here [1] [2] [3] [4].

The attachments are malformed. You may not be able to download them, or it may appear there are no attachments. It will vary from email client to email client.

Analysis of the attachments is pending, although these Malwr analyses [1] [2] [3] attempted downloads from:

109.234.35.37/californication/ninite.php
5.189.216.105/californication/ninite.php

This binary has a zero detection rate at VirusTotal.  That VirusTotal report and this Malwr report indicate network traffic to:

8.254.218.46 (Level 3, US)

I strongly recommend that you block traffic to that IP. This will be some variant of the Dridex banking trojan.

[UPDATE]

This additional Malwr report shows another IP worth blocking:

103.224.83.130 (#2 of Group 1, Lingshan, China)

Malware spam: "Invoice 9210" / Dawn Salter [dawn@mrswebsolutions.com]

This make financial spam is not from MRS Web Solutions Ltd  but is instead a simple forgery with a malicious attachment.

From     Dawn Salter [dawn@mrswebsolutions.com]
Date     Wed, 27 Jan 2016 19:04:27 +0530
Subject     Invoice 9210

Good afternoon

I hope all is good with you.

Please see attached invoice 9210.

Kind regards

Dawn

Dawn Salter
Office Manager

Tel:
DDI:
Web:


+44 (0)1252 616000 / +44 (0)1252 622722
+44 (0)1252 916494
www.mrswebsolutions.com

1 Blue Prior Business Park, Church Crookham, Fleet, Hants, GU52 0RJ


[Google Partner]

[BPMA Chartered Supplier]

[Facebook]

[LinkedIn]

[Twitter]

[Google Plus]


DISCLAIMER: This e-mail and attachments are confidential and are intended solely
for the use of the individual to whom it is addressed. Any views or opinions presented
are solely those of the author and do not necessarily represent those of MRS Web
Solutions Limited. If you are not the intended recipient, be advised that you have
received this e-mail in error and that any use, dissemination, forwarding, printing,
or copying of this e-mail is strictly prohibited. If this transmission is received
in error please notify the sender immediately and delete this message from your e-mail
system. All electronic transmissions to and from MRS Web Solutions Ltd are recorded
and may be monitored.Company Registered in England No. 3900283. VAT GB733622153.


______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

The attachment is named 9210.doc which I have seen come in three versions (VirusTotal [1] [2] [3]). The Malwr reports for those [4] [5] [6] shows executable download locations at:

www.cityofdavidchurch.org/54t4f4f/7u65j5hg.exe
www.hartrijders.com/54t4f4f/7u65j5hg.exe
grudeal.com/54t4f4f/7u65j5hg.exe


This binary has a detection rate of 1/53 and an MD5 of  9c8b2d84665aeedc1368e9951c07a469. Hybrid Analysis of the binary shows that it phones home to:

119.160.223.115 (Loxley Wireless Co. Ltd., Thailand)

This is the same IP as seen in this earlier spam run, I recommend you block it.

Malware spam: "New Order" / Michelle Ludlow [Michelle.Ludlow@dssmith.com]

This fake financial spam does not come from DS Smith Plc, but is instead a simple forgery with a malicious attachment.

From     Michelle Ludlow [Michelle.Ludlow@dssmith.com]
Date     Wed, 27 Jan 2016 17:27:22 +0800
Subject     New Order

Hi

Please see attached for tomorrow.

Thanks
Michelle Ludlow
Customer Services Co-Ordinator - Packaging Services

Packaging Division
Dodwells Road, Hinckley LE10 3BX, United Kingdom
T +44 (0)1455 892939 F  +44 (0)1455 892924
michelle.ludlow@dssmith.com
www.dssmith.com

This e-mail message is intended solely for the person to whom it is addressed and
may contain confidential or privileged information. If you have received it in error,
please notify us immediately and destroy this e-mail and any attachments. In addition,
you must not disclose, copy, distribute or take any action in reliance on this e-mail
or any attachments. Any views or opinions presented in this e-mail are solely those
of the author and do not necessarily represent those of the company. E-mail may be
susceptible to data corruption, interception, unauthorised amendment, viruses and
unforeseen delays, and we do not accept liability for any such data corruption, interception,
unauthorised amendment, viruses and delays or the consequences thereof. Accordingly,
this e-mail and any attachments are opened at your own risk. DS Smith Plc, registered
in England and Wales (company number 1377658), with its registered office at 350
Euston Road, London, NW1 3AX.
So far I have seen two different variants of the attachment doc4502094035.doc (VirusTotal [1] [2]) which according to these Malwr reports [3] [4] download a malicious executable from the following locations:

vinagps.net/54t4f4f/7u65j5hg.exe
trendcheckers.com/54t4f4f/7u65j5hg.exe


This binary has a detection rate of 5/53. Those two Malwr reports and the VirusTotal report show the malware phoning home to:

119.160.223.115 (Loxley Wireless Co. Ltd., Thailand)

I strongly recommend that you block traffic to that IP. The payload is probably the Dridex banking trojan and this looks consistent with botnet 220 activity.

Tuesday, 26 January 2016

Malware spam: "Alpha Heating Innovation"

This fake financial email is not from Alpha Heating Innovation but is instead a simple forgery with a malicious attachment:

From     Kurt Sexton
Date     Tue, 26 Jan 2016 10:59:05 -0500
Subject     =?UTF-8?B?UmVtaXR0YW5jZSBBZHZpY2UgNTk2M0U5?=

For the attention of Accounts Receivable,

We are attaching an up to date remittance advice detailing the latest payment on
your account.

Please contact us on the email address below if you would like your remittance sent
to a different email address, or have any queries regarding your remittance.


Kind regards,
Kurt Sexton

Best Regards,

Kurt Sexton


Credit Controller - Alpha Heating Innovation



t - 01732 783 019

f - 0844 871 8765

e - stacey.tomsett@alpha-innovation.co.uk

w - www.alpha-innovation.co.uk



Head Office: Alpha Heating Innovation - Nepicar House - London Road - Wrotham Heath
- Kent - TN15 7RS - 01732 783 000

National Distribution Centre: Alpha Heating Innovation – Unit 7 Euroway – Quarry
Wood Industrial Estate - Aylesford - Kent – ME20 7UB - 01622 711 000

The names of the sender and reference numbers will vary. I have only seen two different variants of the attachment, in the format remittance_advice5963E9.doc (VirusTotal [1] [2]) but there are probably more. Analysis is pending, and at the moment I have not had time to decode the document that looks like this [pastebin]. It does seem to have some characterstics of a Dridex downloader.

Monday, 25 January 2016

Malware spam FAIL: "Direct Debit Mandate from COMPANY NAME"

This morning's Dridex spam run spoofs a set of random companies. However, the attachment is malformed and cannot be downloaded.. at least in the samples I have seen.

From:    Hilton Castaneda
Date:    25 January 2016 at 09:40
Subject:    Direct Debit Mandate from NORTH ATLANTIC SMALL COS INV TST

Good morning

Please attached Direct Debit Mandate from NORTH ATLANTIC SMALL COS INV TST;
complete, sign and scan return at your earliest convenience.


Kind regards,

Hilton Castaneda
TEAM SUPPORT
NORTH ATLANTIC SMALL COS INV TST
t. 01897 566 634
f. 0856 814 1637

==========

From:    Stanford Rich
Date:    25 January 2016 at 08:39
Subject:    Direct Debit Mandate from SUNPLUS TECHNOLOGY CO LTD

Good morning

Please attached Direct Debit Mandate from SUNPLUS TECHNOLOGY CO LTD;
complete, sign and scan return at your earliest convenience.


Kind regards,

Stanford Rich
TEAM SUPPORT
SUNPLUS TECHNOLOGY CO LTD
t. 01899 146 416
f. 0818 208 3763

==========

From:    Jewell Chavez
Date:    25 January 2016 at 09:38
Subject:    Direct Debit Mandate from STELLAR DIAMONDS PLC

Good morning

Please attached Direct Debit Mandate from STELLAR DIAMONDS PLC;
complete, sign and scan return at your earliest convenience.


Kind regards,

Jewell Chavez
TEAM SUPPORT
STELLAR DIAMONDS PLC
t. 01723 748 961
f. 0849 101 7259

==========

From:    Louisa Nielsen
Date:    25 January 2016 at 09:08
Subject:    Direct Debit Mandate from HALMA

Good morning

Please attached Direct Debit Mandate from HALMA;
complete, sign and scan return at your earliest convenience.


Kind regards,

Louisa Nielsen
TEAM SUPPORT
HALMA
t. 01522 109 616
f. 0868 158 4319
I haven't had time to do any analysis on the b0rked attachments. I will try to post some updates later.

Friday, 22 January 2016

Malware spam: "UKMail 988271023 tracking information" / no-reply@ukmail.com

This fake delivery email is not from UKMail but is instead a simple forgery with a malicious attachment:

From:    no-reply@ukmail.com
Date:    22 January 2016 at 12:14
Subject:    UKMail 988271023 tracking information

UKMail Info!
Your parcel has not been delivered to your address January 21, 2016, because nobody was at home.
Please view the information about your parcel, print it and go to the post office to receive your package.

Warranties
UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service.
Where the law prevents such exclusion and implies conditions and warranties into this contract,
where legally permissible the liability of UKMail for breach of such condition,
guarantee or warranty is limited at the option of UKMail to either supplying the Service again or paying the cost of having the service supplied again.
If you don't receive a package within 30 working days UKMail will charge you for it's keeping.
You can find any information about the procedure and conditions of parcel keeping in the nearest post office.

Best regards,
UKMail

The attachment is named 988271023-PRCL.xls which appears to come in at least two variants (VirusTotal [1] [2]) which according to these Malwr reports [3] [4] downloads a malicious executable from:

www.stijnminne.be/ghf56sgu/0976gg.exe
raeva.com.ua/ghf56sgu/0976gg.exe

This binary has a detection rate of 4/54. It is the same payload as found in this earlier spam run.

Malware spam: "Message from KONICA_MINOLTA" / MFD / scanner / SKM_4050151222162800.doc

At the moment there is a heavy spam run pushing the Dridex banking trojan, pretending to be from a multifunction device or scanner.
Subject:    Message from KONICA_MINOLTA
Subject:    Message from MFD
Subject:    Message from scanner
The spam appears to come from within the victim's own domain, from one of the following email addresses:
MFD@victimdomain.tld
scanner@victimdomain.tld
KONICA_MINOLTA@victimdomain.tld
This is just a simple forgery. It doesn't mean that you organisation has been compromised.. it really is a very simple trick. In all cases the attachment is named SKM_4050151222162800.doc, which appears to come in three versions (VirusTotal [1] [2] [3]). The Malwr reports [4] [5] [6] indicate executable download locations at:

www.showtown-danceband.de/ghf56sgu/0976gg.exe
ausonia-feng-shui.de/ghf56sgu/0976gg.exe
gahal.cz/ghf56sgu/0976gg.exe


This binary has a detection rate of 1/54 and that VirusTotal report plus this Malwr report show it phoning home to:

192.241.207.251 (Digital Ocean Inc., US)

I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan, sent by botnet 220.


Thursday, 21 January 2016

Malware spam: "Gompels Healthcare Ltd Invoice" / Gompels Healthcare ltd [salesledger@gompels.co.uk]

This fake financial spam does not come from Gompels Healthcare Ltd but is instead a simple forgery with a malicious attachment.

From:    Gompels Healthcare ltd [salesledger@gompels.co.uk]
Date:    21 January 2016 at 12:57
Subject:    Gompels Healthcare Ltd Invoice

Hello
Please see attached pdf file for your invoice
Thank you for your business
The attachment is named fax00375039.doc and it comes in at least two different versions (VirusTotal [1] [2]) and the Malwr reports [3] [4] show download locations from:

return-gaming.de/8h75f56f/34qwj9kk.exe
phaleshop.com/8h75f56f/34qwj9kk.exe


That marks it out as Dridex 220, similar to this spam run. However, the executable has change from earlier and now has an MD5 of 95a1e02587182abfa66fdcf921ee476e and a zero detection rate at VirusTotal. However, the malware still phones home to the same IP of 216.224.175.92 as  before.

Malware spam FAIL: "Credit UB 7654321 dated 15.01.15 £12,345.67 - COMPANY NAME"

This fake financial spam is meant to have a malicious attachment. Company names, senders, values and reference numbers  vary, but here are some examples:

From:    Inez Rhodes
Date:    21 January 2016 at 12:33
Subject:    Credit UB 1130909 dated 15.01.15 £26,842.15 - EXOVA GRP PLC

Hi,

Please find attached Debit Note UB11309096 which will offset UB 11309097

Due to a system error UB11309097 was raised with an invoice date being 20/01/15, when it should have been 22/01/16

Regards,

Inez Rhodes
Management Accountant - EXOVA GRP PLC
t. 01523 171 662
f. 0888 650 6709

==========

From:    Cortez Bird
Date:    21 January 2016 at 12:40
Subject:    Credit UB 1793159 dated 15.01.15 £77,538.80 - BARCLAYS PLC


Hi,

Please find attached Debit Note UB17931596 which will offset UB 17931597

Due to a system error UB17931597 was raised with an invoice date being 20/01/15, when it should have been 22/01/16

Regards,

Cortez Bird
Management Accountant - BARCLAYS PLC
t. 01662 855 271
f. 0882 284 7942

==========

From:    Autumn Pierce
Date:    21 January 2016 at 11:39
Subject:    Credit UB 1911242 dated 15.01.15 £73,910.50 - GLOBAL PORTS INVESTMENTS PLC

Hi,

Please find attached Debit Note UB19112426 which will offset UB 19112427

Due to a system error UB19112427 was raised with an invoice date being 20/01/15, when it should have been 22/01/16

Regards,

Autumn Pierce
Management Accountant - GLOBAL PORTS INVESTMENTS PLC
t. 01361 953 147
f. 0883 597 3136
Example attachment names are:
HPscanner3F3AB@ebene-events.net_250371.doc
HPscanner5CF83@hacettepe.edu.tr_8760547.doc
Sharp87143@autoprivoz.ru_3718432.doc
HPscanner7180F@instrument-pily.ru_1587243.doc


In all the samples I have seen, the attachment is not formatted correctly and cannot be downloaded. Typically it will appears to be a 0 byte file with no name, but results might vary depending on the mail client.

After manually decoding the malware from the Base 64 section in the email, I found two distinct versions of the attachment (VirusTotal [1] [2]) and the Malwr reports [3] [4]  show a malicious download from:

5.189.216.101/dropbox/download.php

The payload is the Dridex banking trojan (botnet 120) as described here.

Malware spam: admin@replacementkeys.co.uk / INVOICEPaid_100114000.xls

This spam has a malicious attachment. It does not come from admin@replacementkeys.co.uk but is instead a simple forgery with a malicious attachment.
From     Replacement Keys [admin@replacementkeys.co.uk]
Date     Thu, 21 Jan 2016 17:15:08 +0530
Subject     =?utf-8?B?TmV3IE9yZGVyICMgMTAwMTE0MDAw?=

Order Received!

We will send you another email when it has been dispatched . If you have any questions about your order please reply to this email. Your order confirmation is below. Thank you for ordering from us.
Thank you again,
Replacement Keys

Attached is a file INVOICEPaid_100114000.xls of which I have only seen a single variant. The VirusTotal detection rate is 4/53 and the Malwr report indicates a download location from:

montaj-klimat.ru/8h75f56f/34qwj9kk.exe

The binary dropped is identical to the one in this earlier spam run and it leads to the Dridex banking trojan.