From: admin [ali73_2008949@yahoo.co.uk]The sender's email address varies from message to message. Attached is a file New Doc 115.doc which is reportedly identical to the one found in this spam campaign.
Date: 10 February 2016 at 10:16
Subject: New Doc 115
Sent from Yahoo Mail on Android
Wednesday, 10 February 2016
Malware spam: "New Doc 115" / "Sent from Yahoo Mail on Android"
This rather terse spam has a malicious attachment:
Malware spam: Emailing: MX62EDO 10.02.2016 / documents@dmb-ltd.co.uk
This spam has a malicious attachment:
calflytech.com/09u8h76f/65fg67n
g-t-c.co.uk/09u8h76f/65fg67n
opoai.com/09u8h76f/65fg67n
This drops an executable with a VirusTotal detection rate of 6/55. This malware calls back to the following IPs:
87.229.86.20 (ZNET Telekom Zrt, Hungary)
50.56.184.194 (Rackspace, US)
144.76.73.3 (Hetzner, Germany)
The payload is the Dridex banking trojan. Some chatter I have seen indicates that this has been hardened against analysis.
Recommended blocklist:
87.229.86.20
50.56.184.194
144.76.73.3
From documents@dmb-ltd.co.ukAttached is a malicious document named MX62EDO 10.02.2016.doc. I haven't had time to analyse these myself, but a trusted source (thank you) says that there are three different variants of documents, downloading a malicious executable from the following locations:
Date Wed, 10 Feb 2016 11:12:41 +0200
Subject Emailing: MX62EDO 10.02.2016
Your message is ready to be sent with the following file or link
attachments:
MX62EDO 10.02.2016 SERVICE SHEET
Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your e-mail
security settings to determine how attachments are handled.
calflytech.com/09u8h76f/65fg67n
g-t-c.co.uk/09u8h76f/65fg67n
opoai.com/09u8h76f/65fg67n
This drops an executable with a VirusTotal detection rate of 6/55. This malware calls back to the following IPs:
87.229.86.20 (ZNET Telekom Zrt, Hungary)
50.56.184.194 (Rackspace, US)
144.76.73.3 (Hetzner, Germany)
The payload is the Dridex banking trojan. Some chatter I have seen indicates that this has been hardened against analysis.
Recommended blocklist:
87.229.86.20
50.56.184.194
144.76.73.3
Tuesday, 9 February 2016
Malware spam: "Accounts" / [accounts_do_not_reply@aldridgesecurity.co.uk]
This rather terse spam does not come from Aldridge Security but it is instead a simple forgery with a malicious attachment. There is no subject.
promo.clickencer.com/4wde34f/4gevfdg
This has a detection rate of 5/54. Those analyses indicates that the malware phones home to:
50.56.184.194 (Rackspace, US)
I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan.
From [accounts_do_not_reply@aldridgesecurity.co.uk]I have only seen a single sample with an attachment document2016-02-09-103153.doc which has a VirusTotal detection rate of 5/54. Automated analysis [1] [2] shows that it downloads a malicious executable from:
Date Tue, 09 Feb 2016 10:31:14 +0200
Subject
Accounts
promo.clickencer.com/4wde34f/4gevfdg
This has a detection rate of 5/54. Those analyses indicates that the malware phones home to:
50.56.184.194 (Rackspace, US)
I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan.
Monday, 8 February 2016
Malware spam: "Accounts Documentation - Invoices" / CreditControl@crosswater.co.uk
This fake financial spam does not come from Crosswater Holdings, but it is instead a simple forgery with a malicious attachment:
hydroxylapatites7.meximas.com/98876hg5/45gt454h
80.109.240.71/~l.pennings/98876hg5/45gt454h
This drops an executable with a detection rate of 3/53 which appears to phone home to:
188.40.224.73 (NoTag, Germany)
I strongly recommend that you block traffic to that IP address. The payload is likely to be the Dridex banking trojan.
From: CreditControl@crosswater.co.ukAttached is a malicious script ~13190.js which comes in at least two different variants (VirusTotal [1] [2]). According to automated analysis [3] [4] [5] [6] these scripts download from:
Date: 8 February 2016 at 10:34
Subject: Accounts Documentation - Invoices
Please find attached the invoice(s) raised on your account today. If you have more than one invoice they will all be in the single attachment above.
If you have any queries please do not hesitate to contact the Credit Controller who deals with your account.
Alternatively if you do not know the name of the Credit Controller you can contact us at:
Accounts@crosswater-holdings.co.uk
or call us on 0845 873 8840
Please do not reply to this E-mail as this is a forwarding address only.
hydroxylapatites7.meximas.com/98876hg5/45gt454h
80.109.240.71/~l.pennings/98876hg5/45gt454h
This drops an executable with a detection rate of 3/53 which appears to phone home to:
188.40.224.73 (NoTag, Germany)
I strongly recommend that you block traffic to that IP address. The payload is likely to be the Dridex banking trojan.
Thursday, 4 February 2016
Malware spam: "BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016" / "Fuel Card Services" [adminbur@fuelcardgroup.com]
This fake financial spam does not come from Fuel Card Services Ltd but is instead a simple forgery with a malicious attachment:
www.trulygreen.net/43543r34r/843tf.exe
also reported is as a download location is:
www.mraguas.com/43543r34r/843tf.exe
If you look at the details of the Malwr report, it seems that the the script does creates a LOT of files all over the place. The dropped executable has a detection rate of 4/52 and according to this Hybrid Analysis shows that it phones home to:
62.76.191.108 (Clodo-Cloud / IT-House, Russia)
This is the same IP address as seen earlier, put the payload has now changed. Blocking that IP would be wise, and I would suggest that blocking 62.76.184.0/21 is probably worth considering too.
From "Fuel Card Services" [adminbur@fuelcardgroup.com]I have only seen one sample with an attachment named ebill0200442.xls which contains this malicious macro [pastebin] which is different to recent Dridex macros, and is similar to one first seen yesterday. According to this Malwr report it downloads an executable from:
Date Thu, 04 Feb 2016 04:29:24 -0700
Subject BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016
Please note that this message was sent from an unmonitored mailbox which
is unable to accept replies. If you reply to this e-mail your request
will not be actioned. If you require copy invoices, copy statements,
card ordering or card stopping please e-mail
support@fuelcardservices.com quoting your account number which can be
found in the e-mail below. If your query is sales related please e-mail
info@fuelcardservices.com.
E-billing
-
From: adminbur@fuelcardservices.com
Sent: Thu, 04 Feb 2016 04:29:24 -0700
To: [redacted]
Subject: BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016
Account: B216552
Please find your e-bill 0200442 for 31/01/2016 attached.
To manage you account online please click
http://eservices.fuelcardservices.com
If you would like to order more fuel cards please click
http://www.fuelcard-group.com/cardorder/bp-burnley.pdf
If you have any queries, please do not hesitate to contact us.
Regards
Cards Admin.
Fuel Card Services Ltd
T 01282 410704
F 0844 870 9837
E support@fuelcardservices.com
Supplied according to our terms and conditions. (see
http://www.fuelcardservices.com/ebill.pdf).
Please also note that if you cannot open this attachment and are using
Outlook Express
to view your mail you should select Tools / Options / Security Tab and
deselect the
option marked "Do not allow attachments to be opened that potentially
may be a virus".
All of our outgoing mail is fully virus scanned but we recommend this
facility is
re-enabled if you do not use virus scanning software.
www.trulygreen.net/43543r34r/843tf.exe
also reported is as a download location is:
www.mraguas.com/43543r34r/843tf.exe
If you look at the details of the Malwr report, it seems that the the script does creates a LOT of files all over the place. The dropped executable has a detection rate of 4/52 and according to this Hybrid Analysis shows that it phones home to:
62.76.191.108 (Clodo-Cloud / IT-House, Russia)
This is the same IP address as seen earlier, put the payload has now changed. Blocking that IP would be wise, and I would suggest that blocking 62.76.184.0/21 is probably worth considering too.
Malware spam: "More scans" / admin@victimdomain.tld / DOC201114-201114-001.js
This terse spam appears to originate from within the victim's own organisation, but it does not. Instead it is a simple forgery with a malicious attachment:
From: admin [admin@victimdomain.tld]Attached is a file DOC201114-201114-001.js which comes in a variety of different variants. The payload appears to be the Dridex banking trojan, as seen in this earlier spam run.
Date: 4 February 2016 at 08:17
Subject: More scans
Malware spam: "January balance £785" / Alison Smith [ASmith056@jtcp.co.uk]
This fake financial spam does not come from J. Thomson Colour Printers, but is instead a simple forgery with a malicious attachment:
The poor company being spoofed has already been hit by this attack recently [1] [2]. The email address of the sender varies from message to message.
Attached is a file IN161561-201601.js which comes in at least five different versions (VirusTotal [1] [2] [3] [4] [5]). This is a highly obfuscated script that looks like this [pastebin] and automated analysis of the various scripts [6] [7] [8] [9] [10] [11] [12] [13] shows that the macro downloads from the following locations (there may be more):
ejanla.co/43543r34r/843tf.exe
cafecl.1pworks.com/43543r34r/843tf.exe
This binary has a detection rate of 2/52 and phones home to:
62.76.191.108 (Clodo-Cloud / IT-House, Russia)
Note that the whole 62.76.184.0/21 block is a haven for malware, but it does also have some legitimate Russian customers. You might want to consider blocking the entire range if your users don't need to visit Russian websites. The payload is the Dridex banking trojan, and although it is unusual to see a plain .js file spammed out like this, it is consistent with botnet 220.
From Alison Smith [ASmith056@jtcp.co.uk]
Date Thu, 04 Feb 2016 10:52:21 +0300
Subject "January balance £785"
Hi,
Thank you for your recent payment of £672.
It appears the attached January invoice has been missed off of your payment. Could
you please advise when this will be paid or if there is a query with the invoice?
Regards
Alison Smith
Assistant Accountant
Registered in Scotland 29216
14 Carnoustie Place
Glasgow G5 8PB
Tel: 0141 429 1094
www.jtcp.co.uk
P Save Paper - Do you really need to print this e-mail?
The poor company being spoofed has already been hit by this attack recently [1] [2]. The email address of the sender varies from message to message.
Attached is a file IN161561-201601.js which comes in at least five different versions (VirusTotal [1] [2] [3] [4] [5]). This is a highly obfuscated script that looks like this [pastebin] and automated analysis of the various scripts [6] [7] [8] [9] [10] [11] [12] [13] shows that the macro downloads from the following locations (there may be more):
ejanla.co/43543r34r/843tf.exe
cafecl.1pworks.com/43543r34r/843tf.exe
This binary has a detection rate of 2/52 and phones home to:
62.76.191.108 (Clodo-Cloud / IT-House, Russia)
Note that the whole 62.76.184.0/21 block is a haven for malware, but it does also have some legitimate Russian customers. You might want to consider blocking the entire range if your users don't need to visit Russian websites. The payload is the Dridex banking trojan, and although it is unusual to see a plain .js file spammed out like this, it is consistent with botnet 220.
Wednesday, 3 February 2016
Malware spam: "Attached Image" from canon@ the recipient's own domain
This spam pretends to come from the victim's own domain, but it doesn't. Instead it is a simple forgery with a malicious attachment.
best-drum-set.com/43rf3dw/34frgegrg.exe
This has a detection rate of 6/51 and is the same binary as used in this other spam attack today.
From: canon@victimdomain.tldThere is no body text. Attached is a file 1690_001.xls of which I have seen a single variant with a detection rate of 9/54. The Hybrid Analysis shows it downloading an executable from:
Date: 3 February 2016 at 12:09
Subject: Attached Image
best-drum-set.com/43rf3dw/34frgegrg.exe
This has a detection rate of 6/51 and is the same binary as used in this other spam attack today.
Malware spam: "Invoice MOJU-0939" / Accounts [message-service@post.xero.com]
This fake financial spam comes with a malicious attachment. It does not come from Moju Ltd but is instead a simple forgery with a malicious attachment:
www.ni-na27.wc.shopserve.jp/43rf3dw/34frgegrg.exe
This payload is the same as seen in this concurrent spam run.
From: Accounts [message-service@post.xero.com]I have only seen one sample of this, with an attachment named Invoice MOJU-0939.zip containing a malicious script invoice_id4050638124.js that has detection rate of 2/53 and which according to this Malwr report downloads a binary from:
Date: 3 February 2016 at 09:04
Subject: Invoice MOJU-0939
Hi,
Here's invoice MOJU-0939 for 47.52 GBP. For last weeks delivery.
The amount outstanding of 47.52 GBP is due on 25 Feb 2016.
If you have any questions, please let us know.
Thanks,
Moju Ltd
www.ni-na27.wc.shopserve.jp/43rf3dw/34frgegrg.exe
This payload is the same as seen in this concurrent spam run.
Malware spam: "GS Toilet Hire - Invoice (SI-523) for £60.00, due on 28/02/2016"
This fake financial spam does not come from GS Toilet Hire but is instead a simple forgery with a malicious attachment. In other words, if you open it.. you will be in the sh*t.
obstipatie.nu/43rf3dw/34frgegrg.exe
bjhaggerty.com/43rf3dw/34frgegrg.exe
(also www.ni-na27.wc.shopserve.jp/43rf3dw/34frgegrg.exe from this related spam run)
This type of download indicates that this is Dridex 220, it is unusual for it to be spammed out with a Javascript-in-ZIP format rather than a malicious Office macro. The binary has a detection rate of 5/49 and this Hybrid Analysis shows the malware phoning home to:
91.239.232.145 (Hostpro Ltd, Ukraine)
I strongly recommend that you block all traffic to that IP, and possibly the 91.239.232.0/22 block in which it resides.
UPDATE
The same spam is being sent out with a more traditional DOC attachment, Sales_Invoice_SI-523_GS Toilet Hire.doc which comes in at least two different variants (VirusTotal [1] [2]) which according to these Malwr reports [3] [4] downloads a binary from the following locations:
xinchunge.com/xinchunge.com/43rf3dw/34frgegrg.exe
taukband.com/43rf3dw/34frgegrg.exe
(also best-drum-set.com/43rf3dw/34frgegrg.exe from this later spam run)
This is a different binary from before, with a detection rate of 4/53. It still phones home to the same location.
From: GS Toilet Hire [donotreply@sageone.com]I have seen two samples of this, both with an attachment named Sales_Invoice_SI-523_GS Toilet Hire.pdf.zip which contains a malicious Javascript file with a name like invoice_id6395788111.js. The two samples that I have seen have low detection rates [1] [2] containing some highly obfuscated scripts [3] [4] which according to these analyses [5] [6] [7] downloads a binary from one of the following locations:
Date: 3 February 2016 at 09:12
Subject: GS Toilet Hire - Invoice (SI-523) for £60.00, due on 28/02/2016
Good morning
Thank you for your business - we're pleased to attach your invoice in PDF. Please bear in mind that if we are in the area the price is reduced to £15+vat per visit.
Full details, including payment terms, are included.
If you have any questions, please don't hesitate to contact us.
Kind regards,
Linda Smith
Office, GS Toilet Hire
Direct enquiries
Glenn Johnson
07930 391 011
obstipatie.nu/43rf3dw/34frgegrg.exe
bjhaggerty.com/43rf3dw/34frgegrg.exe
(also www.ni-na27.wc.shopserve.jp/43rf3dw/34frgegrg.exe from this related spam run)
This type of download indicates that this is Dridex 220, it is unusual for it to be spammed out with a Javascript-in-ZIP format rather than a malicious Office macro. The binary has a detection rate of 5/49 and this Hybrid Analysis shows the malware phoning home to:
91.239.232.145 (Hostpro Ltd, Ukraine)
I strongly recommend that you block all traffic to that IP, and possibly the 91.239.232.0/22 block in which it resides.
UPDATE
The same spam is being sent out with a more traditional DOC attachment, Sales_Invoice_SI-523_GS Toilet Hire.doc which comes in at least two different variants (VirusTotal [1] [2]) which according to these Malwr reports [3] [4] downloads a binary from the following locations:
xinchunge.com/xinchunge.com/43rf3dw/34frgegrg.exe
taukband.com/43rf3dw/34frgegrg.exe
(also best-drum-set.com/43rf3dw/34frgegrg.exe from this later spam run)
This is a different binary from before, with a detection rate of 4/53. It still phones home to the same location.
Tuesday, 2 February 2016
Malware spam: "RB0081 INV2372039" / Sales invoice [salesinvoice@leathams.co.uk]
This fake financial spam does not come from Leathams but is instead a simple forgery with a malicious attachment.
Attached is a malicious document Leathams Ltd_INV2372039.doc which comes in at least two different versions (VirusTotal [1] [2]). The Malwr analysis for one of those samples shows a download from:
fillingsystem.com/5h4g/0oi545gfgf.exe
This is similar to a spam run earlier, but now the payload has changed to one with a detection rate of precisely zero (MD5 0d37099eaff9c507c782fd81c715255b). Analysis of this is pending. The payload is the Dridex banking trojan.
UPDATE
Automated analysis [1] [2] shows the executable phoning home to:
91.239.232.145 (Hostpro Ltd, Ukraine)
I strongly recommend blocking traffic to that IP, or the whole /22 in which it resides.
From: Sales invoice [salesinvoice@leathams.co.uk]
Reply-To: "no-reply@leathams.co.uk" [no-reply@leathams.co.uk]
Date: 2 February 2016 at 13:15
Subject: RB0081 INV2372039
Dear Sir/Madam,
Please find attached your sales invoice(s) for supplied goods. Please process for payment as soon as possible.
In the event that you have a query - please direct your query as follows;
For the following please contact our Nottingham Office on 020 7635 3190 or email NottinghamTelesales@Leathams.co.uk:
Incorrect items delivered
Quality Complaint
Goods Damaged in Transit
Price query against goods
For the following please contact Credit Control on 020 7635 4049 or email creditcontrol@leathams.co.uk:
Delivery Shortages
Please note that queries reported outside of our terms of business may not be accepted.
Many thanks and kind regards
Leathams Credit Control
2 Rollins Street, London, SE15 1EW
Tel: +44 (0)20 7635 4049
Email: creditcontrol@leathams.co.uk
DID YOU KNOW LEATHAMS IS GOING PAPERLES IN 2015 - Please note that Leathams will be emailing all invoices and staments in 2015. Kindly confirm by return email what email address we should send your future invocies and statements to.
IMPORTANT TERMS OF BUSINESS - Please note the following time critical terms;
Delivery Queries - You must notifiy Leathams in writing of any defects within 2 working days stating precisly its reason(s) for rejection. Failure to do so within this time frame will result in any claims being rejected.
From: Sales invoice <salesinvoice@leathams.co.uk>
Reply-to: "no-reply@leathams.co.uk" <no-reply@leathams.co.uk>
Date: 2 February 2016 at 13:15
Subject: RB0081 INV2372039
Invoice Queries - You must notifiy Leathams in writing of any descrepancies within 7 working days. If a query is not resolved in time then it is expected that you settle what you believe to be correct, queries should not hold up any payments to Leathams.
Late Payment Fees - Late payment of invoices will result in penalty interest of 8% above the bank of England base rate. We also reserve the right to apply a late payment fee in accordance with UK Late Payment Legislation.
Size of unpaid debt Sum to be paid to the creditor
Up to ?999.99 ?40.00
?1,000.00 to ?9,999.99 ?70.00
?10,000.00 or more ?100.00
Follow us on Twitter <http://twitter.com/LeathamsLtd>
Connect on LinkedIn <http://www.linkedin.com/company/leathams-ltd/>
www.leathams.co.uk <http://www.leathams.co.uk/>
_____________________________________________________________________
This e-mail and any attachments are confidential and intended solely for the addressee. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.
Internet communications are not guaranteed to be secure or virus-free.
Leathams Ltd does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by Leathams Ltd for operational or business reasons.
Any opinion or other information in this e-mail or its attachments, that does not relate to the business of Leathams Ltd, is personal to the sender and is not given or endorsed by Leathams Ltd.
Leathams Ltd. Registered in England (registered no. 1689381).
Registered Office: 227-255 Ilderton Road, London SE15 1NS, United Kingdom
-------------------------------------------------------------------------------------------------------------
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
_____________________________________________________________________
Attached is a malicious document Leathams Ltd_INV2372039.doc which comes in at least two different versions (VirusTotal [1] [2]). The Malwr analysis for one of those samples shows a download from:
fillingsystem.com/5h4g/0oi545gfgf.exe
This is similar to a spam run earlier, but now the payload has changed to one with a detection rate of precisely zero (MD5 0d37099eaff9c507c782fd81c715255b). Analysis of this is pending. The payload is the Dridex banking trojan.
UPDATE
Automated analysis [1] [2] shows the executable phoning home to:
91.239.232.145 (Hostpro Ltd, Ukraine)
I strongly recommend blocking traffic to that IP, or the whole /22 in which it resides.
Malware spam: "PURCHASE 02/02/2016 D1141" / sales@flowervision.co.uk
This spam does not come from Flower Vision but is instead a simple forgery with a malicious attachment:
www.torinocity.it/5h4g/0oi545gfgf.exe
This binary has a detection rate of 5/51, and is the same payload as seen earlier.
From: sales@flowervision.co.ukAttached is a file SALES_D1141_02022016_164242.xls which I have seen just one version of, with a detection rate of 1/50. This Hybrid Analysis shows the macro in the spreadsheet downloading from:
Date: 2 February 2016 at 08:28
Subject: PURCHASE 02/02/2016 D1141
FLOWERVISION Internet Order Confirmation Page 1/1
Colli Quan Total Price Product S1 S2 S3 Del.Day Total Remark
1 x 25 25 0.32 Hyacinthus Or Delft Blue 30 0 22 160129 8.00 Flowers London 4 x 1 4 5.50 Oasis Spray Paint Voilet 0 0 0 160129 22.00 Sundries London 2 x 10 20 1.37 Syringa V Primrose 90 0 45 160129 27.40 Flowers London 1 x 50 50 0.25 Tulipa En Antarctica 40 46 33 160129 12.50 Flowers London 1 x 50 50 0.34 Veronica Clea Diana 60 0 44 160129 17.00 Flowers London
149 86.90
www.torinocity.it/5h4g/0oi545gfgf.exe
This binary has a detection rate of 5/51, and is the same payload as seen earlier.
Malware spam: "Order Dispatch: AA207241" / aalabels [customercare97125@aalabels.com]
This fake financial spam is not from aalabels.com but is instead a simple forgery with a malicious attachment.
The sender's email address and detail will vary from email to email, however they all follow the same format. Attached is a file with a name along the lines of invoice_AA123456.doc which comes in at least three different versions (VirusTotal results [1] [2] [3]). These Malwr reports [4] [5] [6] show the macro in the documents downloading from one of the folllowing locations:
timestyle.com.au/5h4g/0oi545gfgf.exe
hebenstreit.us.com/5h4g/0oi545gfgf.exe
fillingsystem.com/5h4g/0oi545gfgf.exe
This binary has a detection rate of 5/52. That VirusTotal result and those Malwr reports show it phoning home to:
91.239.232.145 (Hostpro Ltd, Ukraine)
I would strongly recommend blocking traffic to that IP, or indeed you can probably block the entire 91.239.232.0/22 range will no ill effects.
From: aalabels [customercare97125@aalabels.com]
Date: 2 February 2016 at 07:06
Subject: Order Dispatch: AA207241
Order Dispatch Confirmation
Dear Customer,
This email is to confirm that your order number AA207241 has been dispatched from our warehouse today and your order will be with you the following working day.
Your order has been dispatched via DPD and your order tracking number is 1160173211.
A VAT invoice for your order has been attached in pdf format for your reference.
Code Product Name Qty QS QB No of Packs
AAS021WTP Matt White - Permanent A4 Sheet Labels - 21 Rectangle - 63.5 mm x 38.1 mm 1000 1000 0 10
QS: Quantity Shipped
QB: Quantity Backed
If you need to contact us about this order then please call our customer care team on 01733 588 390 or email customercare@aalabels.com
Thank you for your order.
Kind regards,
AA Labels
www.aalabels.com
23 Wainman Road
Woodston
Peterborough
PE2 7BU
United Kingdom
Phone: 01733 588390
Fax: 01733 425106
The sender's email address and detail will vary from email to email, however they all follow the same format. Attached is a file with a name along the lines of invoice_AA123456.doc which comes in at least three different versions (VirusTotal results [1] [2] [3]). These Malwr reports [4] [5] [6] show the macro in the documents downloading from one of the folllowing locations:
timestyle.com.au/5h4g/0oi545gfgf.exe
hebenstreit.us.com/5h4g/0oi545gfgf.exe
fillingsystem.com/5h4g/0oi545gfgf.exe
This binary has a detection rate of 5/52. That VirusTotal result and those Malwr reports show it phoning home to:
91.239.232.145 (Hostpro Ltd, Ukraine)
I would strongly recommend blocking traffic to that IP, or indeed you can probably block the entire 91.239.232.0/22 range will no ill effects.
Monday, 1 February 2016
Malware spam: Scanned image from copier@victimdomain.tld
This fake document scan appears to originate from within the victim's own domain, but it doesn't. Instead this is a simple forgery with a malicious attachment.
I have seen two different versions of the attached document, named in a format copier@victimdomain.tld_20160129_084903.doc. The detection rate for both is 6/54 [1] [2] and the Malwr report for one of them shows the macro downloading from:
dulichando.org/u56gf2d/k76j5hg.exe
This executable has a detection rate of 4/53 and the Hybrid Analysis reports that it phones home to:
185.24.92.236 (System Projects LLC, Russia)
I strongly recommend that you block traffic to that IP. The payload is Dridex, as seen here.
From: copier@victimdomain.tld
Date: 1 February 2016 at 12:11
Subject: Scanned image from copier@victimdomain.tld
Reply to: copier@victimdomain.tld [copier@victimdomain.tld]
Device Name: COPIER
Device Model: MX-2310U
File Format: DOC (Medium)
Resolution: 200dpi x 200dpi
Attached file is scanned document in DOC format.
Use Microsoft(R)Word(R) of Microsoft Systems Incorporated to view the document.
I have seen two different versions of the attached document, named in a format copier@victimdomain.tld_20160129_084903.doc. The detection rate for both is 6/54 [1] [2] and the Malwr report for one of them shows the macro downloading from:
dulichando.org/u56gf2d/k76j5hg.exe
This executable has a detection rate of 4/53 and the Hybrid Analysis reports that it phones home to:
185.24.92.236 (System Projects LLC, Russia)
I strongly recommend that you block traffic to that IP. The payload is Dridex, as seen here.
Malware spam: "Order Processed." / NoReply-Duration Windows [noreply@duration.co.uk]
This fake financial spam does not come from Duration Windows but is instead a simple forgery with a malicious attachment:
I have only seen a single sample of this spam with an attachment V9568HW.doc which has a detection rate of 5/54.
Analysis of the attachment is pending, however this is likely to be the Dridex banking trojan.
UPDATE
The Malwr analysis shows that the document downloads a malicious executable from:
www.peopleond-clan.de/u56gf2d/k76j5hg.exe
This has a VirusTotal detection rate of 4/54 and those reports plus this Hybrid Analysis show it phoning home to:
185.24.92.236 (System Projects LLC, Russia)
I strongly recommend that you block traffic to that IP.
From NoReply-Duration Windows [noreply@duration.co.uk]
Date Mon, 01 Feb 2016 04:21:03 -0500
Subject Order Processed.
Dear Customer,
Please find details for your order attached as a PDF to this e-mail.
Regards,
Duration Windows
Sales Department
___________________________________________________________
This email has been scanned by FilterCloud Email Security.
For more information please visit http://filtercloud.co.uk
I have only seen a single sample of this spam with an attachment V9568HW.doc which has a detection rate of 5/54.
Analysis of the attachment is pending, however this is likely to be the Dridex banking trojan.
UPDATE
The Malwr analysis shows that the document downloads a malicious executable from:
www.peopleond-clan.de/u56gf2d/k76j5hg.exe
This has a VirusTotal detection rate of 4/54 and those reports plus this Hybrid Analysis show it phoning home to:
185.24.92.236 (System Projects LLC, Russia)
I strongly recommend that you block traffic to that IP.
Malware spam: Invoice 123456 from COMPANY NAME
This spam appears to originate from a variety of companies with different references. It comes with a malicious attachment.
The attachment is in the format INV19 - 865272.doc (it always starts with "INV19" and then has the fake reference number). There are at least three different versions (VirusTotal [1] [2] [3]).
Analysis is pending, however this is likely to be the Dridex banking trojan.
UPDATE 1
A different variant of the spam email is going on, which appears to have roughly the same payload:
The Malwr analysis of three of the attachments [1] [2] [3] shows download locations of:
31.131.24.203/indiana/jones.php
31.41.45.23/indiana/jones.php
These IPs can be considered as malicious, and belong to:
31.131.24.203 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
31.41.45.23 (Relink LTD, Russia)
This drops a malicious binary with a detection rate of 2/53. This phones home to:
185.24.92.229 (System Projects, LLC, Russia)
This spam appears to be the Dridex banking trojan (botnet 120 perhaps).
Recommended blocklist:
185.24.92.229
31.131.24.203
31.41.45.23
From: Marisol Barrett [BarrettMarisol04015@victimdomain.tld]
Date: 1 February 2016 at 08:39
Subject: Invoice 48014 from JKX OIL & GAS
Dear Customer,
Your invoice appears below. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Marisol Barrett
JKX OIL & GAS
=========================
From: Oswaldo Browning [BrowningOswaldo507@victimdomain.tld]
Date: 1 February 2016 at 09:38
Subject: Invoice 865272 from J P MORGAN PRIVATE EQUITY LTD
Dear Customer,
Your invoice appears below. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Oswaldo Browning
J P MORGAN PRIVATE EQUITY LTD
=========================
From: Pansy Haley [HaleyPansy95@victimdomain.tld]
Date: 1 February 2016 at 08:50
Subject: Invoice 95101 from HWANGE COLLIERY CO
Dear Customer,
Your invoice appears below. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Pansy Haley
HWANGE COLLIERY CO
=========================
From: Ruth Martinez [MartinezRuth43950@victimdomain.tld]
Date: 1 February 2016 at 08:51
Subject: Invoice 27051 from ESSENDEN PLC
Dear Customer,
Your invoice appears below. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Ruth Martinez
ESSENDEN PLC
The attachment is in the format INV19 - 865272.doc (it always starts with "INV19" and then has the fake reference number). There are at least three different versions (VirusTotal [1] [2] [3]).
Analysis is pending, however this is likely to be the Dridex banking trojan.
UPDATE 1
A different variant of the spam email is going on, which appears to have roughly the same payload:
From: Heather Mcfadden [McfaddenHeather71@victimdomain.tld]UPDATE 2
Date: 1 February 2016 at 10:09
Subject: Transaction and Payment Confirmation from HAYWARD TYLER GROUP PLC
Hello,
The attached document is a transaction payment confirmation from HAYWARD TYLER GROUP PLC in the amount of GBP 1,879.86.
Your transaction reference number is A3546F.
Kind Regards,
Heather Mcfadden
HAYWARD TYLER GROUP PLC
The Malwr analysis of three of the attachments [1] [2] [3] shows download locations of:
31.131.24.203/indiana/jones.php
31.41.45.23/indiana/jones.php
These IPs can be considered as malicious, and belong to:
31.131.24.203 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
31.41.45.23 (Relink LTD, Russia)
This drops a malicious binary with a detection rate of 2/53. This phones home to:
185.24.92.229 (System Projects, LLC, Russia)
This spam appears to be the Dridex banking trojan (botnet 120 perhaps).
Recommended blocklist:
185.24.92.229
31.131.24.203
31.41.45.23
Friday, 29 January 2016
Malware spam: "Despatch Note FFGDES34309" / Foyle Food Group Limited [accounts@foylefoodgroup.com]
This fake financial spam is not from Foyle Food Group Limited but is instead a simple forgery with a malicious attachment:
jjcoll.in/56gf/g545.exe
romana.fi/56gf/g545.exe
clickchiropractic.com/56gf/g545.exe
This has an MD5 of d88c2bed761c7384d0e8657477af9da7 and a detection rate of 6/49. According to my contact, this phones home to:
85.143.166.200 (Pirix, Russia)
103.245.153.70 (OrionVM, Australia)
144.76.73.3 (Hetzner, Germany)
This drops the Dridex banking trojan. The behaviour is consistent with botnet 220.
Recommended blocklist:
85.143.166.200
103.245.153.70
144.76.73.3
From Foyle Food Group Limited [accounts@foylefoodgroup.com]I haven't had the chance to do the analysis myself, so I am relying on the analysis of a contact (thank you). The attachment is FFGDES34309.doc which comes in three different variants, downloading from:
Date Fri, 29 Jan 2016 17:58:37 +0700
Subject Despatch Note FFGDES34309
Please find attached Despatch Note FFGDES34309
jjcoll.in/56gf/g545.exe
romana.fi/56gf/g545.exe
clickchiropractic.com/56gf/g545.exe
This has an MD5 of d88c2bed761c7384d0e8657477af9da7 and a detection rate of 6/49. According to my contact, this phones home to:
85.143.166.200 (Pirix, Russia)
103.245.153.70 (OrionVM, Australia)
144.76.73.3 (Hetzner, Germany)
This drops the Dridex banking trojan. The behaviour is consistent with botnet 220.
Recommended blocklist:
85.143.166.200
103.245.153.70
144.76.73.3
Malware spam: "Quick Question" / Resume.rtf
This spam leads to malware:
The attachment is named Resume.rtf, but is it actually a DOCX file with a malicious macro [pastebin], the document has a VirusTotal detection rate of 9/54. I haven't had time to do a detailed analysis, but these automated analyses [1] [2] [3] show it phoning home to:
89.248.166.131 (Quasi Networks, Seychelles)
I recommend that you block traffic to that IP. I'm not sure about what this drops, possibly ransomware. No doubt someone reading this will :)
From: Laurena Washabaugh [washabaugh.1946@rambler.ru]
Date: 29 January 2016 at 10:10
Subject: Quick Question
Signed by: rambler.ru
What's going on?
I was visting your website on 1/29/2016 and I'm very interested.
I'm currently looking for work either full time or as a intern to get experience in the field.
Please review my CV and let me know what you think.
Best regards,
--
Laurena Washabaugh
The attachment is named Resume.rtf, but is it actually a DOCX file with a malicious macro [pastebin], the document has a VirusTotal detection rate of 9/54. I haven't had time to do a detailed analysis, but these automated analyses [1] [2] [3] show it phoning home to:
89.248.166.131 (Quasi Networks, Seychelles)
I recommend that you block traffic to that IP. I'm not sure about what this drops, possibly ransomware. No doubt someone reading this will :)
Labels:
DOC,
Malware,
Seychelles,
Spam,
Viruses
Wednesday, 27 January 2016
Malware spam: "Enterprise Invoices No.91786" / Enterprise Security Distribution (South West) Limited
This fake financial spam does not come from Enterprise Security Distribution (South West) Limited but is instead a simple forgery with a malicious attachment.
The name of the sender and references will vary. There seem to be several different versions of the attachment named in a format Canon-mf30102A13A@altel.kz_2615524.xls, some example results at VirusTotal are here [1] [2] [3] [4].
The attachments are malformed. You may not be able to download them, or it may appear there are no attachments. It will vary from email client to email client.
Analysis of the attachments is pending, although these Malwr analyses [1] [2] [3] attempted downloads from:
109.234.35.37/californication/ninite.php
5.189.216.105/californication/ninite.php
This binary has a zero detection rate at VirusTotal. That VirusTotal report and this Malwr report indicate network traffic to:
8.254.218.46 (Level 3, US)
I strongly recommend that you block traffic to that IP. This will be some variant of the Dridex banking trojan.
[UPDATE]
This additional Malwr report shows another IP worth blocking:
103.224.83.130 (#2 of Group 1, Lingshan, China)
From: Vicki Harvey
Date: 27 January 2016 at 15:30
Subject: Enterprise Invoices No.91786
Please find attached invoice/s from
Enterprise Security Distribution (South West) Limited
Unit 20, Avon Valley Business Park
St Annes Road
St Annes
Bristol
BS4 4EE
Vicki Harvey
Accountant
Tel: 0117 977 5373
The name of the sender and references will vary. There seem to be several different versions of the attachment named in a format Canon-mf30102A13A@altel.kz_2615524.xls, some example results at VirusTotal are here [1] [2] [3] [4].
The attachments are malformed. You may not be able to download them, or it may appear there are no attachments. It will vary from email client to email client.
Analysis of the attachments is pending, although these Malwr analyses [1] [2] [3] attempted downloads from:
109.234.35.37/californication/ninite.php
5.189.216.105/californication/ninite.php
This binary has a zero detection rate at VirusTotal. That VirusTotal report and this Malwr report indicate network traffic to:
8.254.218.46 (Level 3, US)
I strongly recommend that you block traffic to that IP. This will be some variant of the Dridex banking trojan.
[UPDATE]
This additional Malwr report shows another IP worth blocking:
103.224.83.130 (#2 of Group 1, Lingshan, China)
Malware spam: "Invoice 9210" / Dawn Salter [dawn@mrswebsolutions.com]
This make financial spam is not from MRS Web Solutions Ltd but is instead a simple forgery with a malicious attachment.
The attachment is named 9210.doc which I have seen come in three versions (VirusTotal [1] [2] [3]). The Malwr reports for those [4] [5] [6] shows executable download locations at:
www.cityofdavidchurch.org/54t4f4f/7u65j5hg.exe
www.hartrijders.com/54t4f4f/7u65j5hg.exe
grudeal.com/54t4f4f/7u65j5hg.exe
This binary has a detection rate of 1/53 and an MD5 of 9c8b2d84665aeedc1368e9951c07a469. Hybrid Analysis of the binary shows that it phones home to:
119.160.223.115 (Loxley Wireless Co. Ltd., Thailand)
This is the same IP as seen in this earlier spam run, I recommend you block it.
From Dawn Salter [dawn@mrswebsolutions.com]
Date Wed, 27 Jan 2016 19:04:27 +0530
Subject Invoice 9210
Good afternoon
I hope all is good with you.
Please see attached invoice 9210.
Kind regards
Dawn
Dawn Salter
Office Manager
Tel:
DDI:
Web:
+44 (0)1252 616000 / +44 (0)1252 622722
+44 (0)1252 916494
www.mrswebsolutions.com
1 Blue Prior Business Park, Church Crookham, Fleet, Hants, GU52 0RJ
[Google Partner]
[BPMA Chartered Supplier]
[Facebook]
[LinkedIn]
[Twitter]
[Google Plus]
DISCLAIMER: This e-mail and attachments are confidential and are intended solely
for the use of the individual to whom it is addressed. Any views or opinions presented
are solely those of the author and do not necessarily represent those of MRS Web
Solutions Limited. If you are not the intended recipient, be advised that you have
received this e-mail in error and that any use, dissemination, forwarding, printing,
or copying of this e-mail is strictly prohibited. If this transmission is received
in error please notify the sender immediately and delete this message from your e-mail
system. All electronic transmissions to and from MRS Web Solutions Ltd are recorded
and may be monitored.Company Registered in England No. 3900283. VAT GB733622153.
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
The attachment is named 9210.doc which I have seen come in three versions (VirusTotal [1] [2] [3]). The Malwr reports for those [4] [5] [6] shows executable download locations at:
www.cityofdavidchurch.org/54t4f4f/7u65j5hg.exe
www.hartrijders.com/54t4f4f/7u65j5hg.exe
grudeal.com/54t4f4f/7u65j5hg.exe
This binary has a detection rate of 1/53 and an MD5 of 9c8b2d84665aeedc1368e9951c07a469. Hybrid Analysis of the binary shows that it phones home to:
119.160.223.115 (Loxley Wireless Co. Ltd., Thailand)
This is the same IP as seen in this earlier spam run, I recommend you block it.
Subscribe to:
Posts (Atom)