Sponsored by..

Friday, 26 February 2016

Malware spam: "Your Order has been despatched from Harrison" / warehouse@harrisonproducts.net

This spam does not come from Harrison Products but is instead a simple forgery with a malicious attachment:

From     warehouse | Harrison [warehouse@harrisonproducts.net]
Date     Fri, 26 Feb 2016 18:07:04 +0500
Subject     Your Order has been despatched from Harrison

Dear Customer

Thank you for your valued Order, your Despatch Confirmation is attached

If there are any queries relating to this delivery please contact our Customer Service
Team on 01451 830083 or email sales@harrisonproducts.net

Kind Regards

The Harrison Products Team


Harrison Products Co. Sterling House, Moreton Road, Longborough, Glos. GL56 0QJ
I have seen only one sample of this with an attachment named Order ref. 16173.xls  which has a VirusTotal detection rate of 6/55. This Malwr report plus this Hybrid Analysis for that sample shows a binary being downloaded from:

thetoyshop.by/system/logs/76tg654viun76b

There are probably other download locations too. This dropped file has a detection rate of 3/52. Those two reports indicate that this is the Dridex banking trojan. It phones home to:

203.162.141.13 (VietNam Data Communication Company, Vietnam)

I strongly recommend that you block traffic to that IP.



Evil networks to block 2016-02-26

These networks are clusters of the Angler EK and other badness. I tend to Tweet about Angler IPs rather than blog about them. Following the #AnglerEK hashtag at Twitter can yield more information, often in realtime.

All the links go to Pastebin with more information about the IPs and the blocks. Note that a few of these blocks do contain some legitimate Russian-language sites, but if your users don't visit that sort of site then you should be OK to block them.

51.254.240.0/24
64.79.88.16/29
86.106.93.0/24
88.198.229.184/29
88.214.237.0/24
89.45.67.0/24
146.0.43.64/26
176.9.226.160/29
176.223.111.0/24
184.154.53.136/29
185.66.9.0/24
185.66.10.0/24
185.46.11.0/24
185.86.76.0/22
185.86.149.0/24
185.104.8.0/22
185.118.65.0/24
188.227.72.0/22
191.96.66.0/24 
195.128.125.0/24
204.45.251.128/26 
204.155.30.0/24
207.182.141.200/29
212.22.85.0/24
212.109.192.224/27

Wednesday, 24 February 2016

Malware spam: "Scanned image" / "Image data in PDF format has been attached to this email."

This fake document scan has a malicious attachment. It appears to come from within the victim's own domain, but this is a malicious forgery.
From:    admin [southlands71@victimdomain.tld]
Date:    24 February 2016 at 15:25
Subject:    Scanned image

Image data in PDF format has been attached to this email.
I have only seen a single sample with an attachment 24-02-2016-00190459.zip containing a malicious script [pastebin] which in this case downloads a binary from:

kartonstandambalaj.com.tr/system/logs/87h754

My sources say that other versions download from:

demo2.master-pro.biz/plugins/ratings/87h754
baromedical.hu/media/87h754
bitmeyenkartusistanbul.com/system/logs/87h754/
zaza-kyjov.cz/system/cache/87h754


As this Hybrid Analysis shows, the payload is the Locky ransomware. The dropped binary has a detection rate of just 3/55.

Those reports show the malware phoning home to:

5.34.183.136 (ITL, Ukraine)

I strongly recommend that you block traffic to that IP.

Evil network: 184.154.28.72/29 (Marko Cipovic / Singlehop) and liveadexchanger.com

liveadexchanger.com is an advertising network with a questionable reputation currently hosted on a Google IP of 146.148.46.20. The WHOIS details are anonymous, never a good sign for an ad network.

Seemingly running ads on the scummiest websites, liveadexchanger.com does things like trying to install fake Flash updates on visitors computers, as can be seen from this URLquery report... you might find the screenshot missing because of the complex URL, so here it is..


That landing page is on alwaysnewsoft.traffic-portal.net (part of an extraordinarily nasty network at 184.154.28.72/29) which then forwards unsuspecting visitors to a fake download at intva31.peripheraltest.info  which you will not be surprised to learn is hosted at the adware-pusher's faviourite host of Amazon AWS.

Of the 567 sites that have been hosted in this /29 (not all are there now), 378 of them are tagged as malicious in some way by Google (67%) and 157 (28%) are also tagged by SURBL as being malicious in some way. Overall then, 74% are marked as malicious by either Google or SURBL, which typically means that they just haven't caught up yet with the other bad domains. The raw data can be seen here [pastebin].

At the time of writing, the following websites appear to be live:

check4free.newperferctupgrade.net
testpc24.onlinelivevideo.org
getsoftnow.onlinelivevideo.org
newsoftready.onlinelivevideo.org
whenupdate.plugin2update.net
alwaysnew.updateforeveryone.net
free2update.newsafeupdatesfree.net
liveupdate.update4free.org
downgradepc.update4free.org
noteupgrade.update4free.org
newupdate.digit-services.org
lastversion.whensoftisclean.org
newupdate.set4newsearchupdate.com
upd24.free247updatetoolnow.com
24check.plugin-search2update.com
check4upgrade.plugin-search2update.com
softwareupdate.plugin-search2update.com
updateauto.theinlinelive.net
newsoftready.set2updatesnen.net
alwaysnewsoft.traffic-portal.net
checksoft.new24checkupgrade.net
legalsoft.perfectsafeupdate.net
checksoft.group4updating.org
checksoft.thesoft4updates.org
netapp.safeplugin-update.org
freedlupd.pcfreeupdates.club
softwareupdate.upgrades4free.org
freechecknow.onlinelivevideo.org
liveupdate.os-update.club
newupdate.update4free.net
checksoft.newsafeupdatesfree.net
workingupdate.digit-services.org
now.how2update4u.com
autoupdate.whenupgradeswork.com
setupgrade.set4freeupdates.xyz
update4soft.searchonly.online
updateauto.forfreeupgrades.org
autoupdate.soft-land.club
soft4update.soft-land.club
updateauto.newvideolive.club
newupdate.portal-update.club
maintainpc.perfectupdater.org
newupdate.downloadsoft24.club

The WHOIS details for this block:
%rwhois V-1.5:003eff:00 rwhois.singlehop.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:ORG-SINGL-8.184-154-28-72/29
network:Auth-Area:184.154.0.0/16
network:IP-Network:184.154.28.72/29
network:Organization:Marko Cipovic
network:Street-Address:Kralja Nikole 33
network:City:Podgorica
network:Postal-Code:81000
network:Country-Code:CS
network:Tech-Contact;I:NETWO1546-ARIN
network:Admin-Contact;I:NETWO1546-ARIN
network:Abuse-Contact;I:ABUSE2492-ARIN
network:Created:20150323
network:Updated:20150323


If you are using domain-based blocklists, this [pastebin] is the list of domains currently or formerly hosted on this block with the subdomains removed. Other than that, I would recommend the following blocklist:

liveadexchanger.com
184.154.28.72/29

Malware spam FAIL: "Thank you for your order!" / DoNotReply@ikea.com

This fake financial spam is not from IKEA, but it instead a simple forgery. I can only assume that it is meant to have a malicious attachment, but due to a formatting error it may not be visible.

From:    DoNotReply@ikea.com
Date:    24 February 2016 at 09:56
Subject:    Thank you for your order!
IKEA
IKEA UNITED KINGDOM

Order acknowledgement:


To print, right click and select print or use keys Ctrl and P.

Thank you for ordering with IKEA Shop Online. Your order is now being processed. Please check your order and contact us as soon as possible if any details are incorrect. IKEA Customer Relations, Kingston Park, Fletton, Peterborough, PE2 9ET. Tel: 0203 645 0015
Total cost:
£122.60
Delivery date:
24-02-2016
Delivery method:
Parcelforce
We will confirm your delivery date by text,email or telephone within 72 hrs.
Order/Invoice number:
607656390
Order time:
8:31am GMT
Order/Invoice date:
24-02-2016
Legal information
Please note that this email does not mean that we have accepted your order and it does not form a binding contract. A contract will be formed between You and IKEA at the time we dispatch your order to you, with the exception of made to order sofas and worktops where order acceptance occurs at the point when we send you our Delivery Advice email.
Your order is subject to IKEAs Terms of use and Return Policy
This is an email from IKEA Ltd (Company Number 01986283) whose registered office address is at Witan Gate House 500-600 Witan Gate West, Milton Keynes MK9 1SH, United Kingdom.
IKEA VAT Number: 527 7733 20
This email is your VAT receipt, please print a copy for your records.
IKEA Ltd does not accept responsibility for the accuracy or completeness of the contents of this email as it has been transmitted over a public network.
The intention here is either to drop the Dridex banking trojan or Locky ransomware. If you see an attachment, do not open it. The attachment is currently being analysed.

UPDATE

Third-party analysis confirms that the attachments are broken and will not work in many mail clients. However, if they did the payload would be identical to this.

Malware spam: "VAT Invoice - Quote Ref: ES0142570" / CardiffC&MFinance@centrica.com

This fake financial spam is not from British Gas / Centrica but is instead a simple forgery with a malicious attachment.

From:    CardiffC&MFinance [CardiffC&MFinance@centrica.com]
Date:    24 February 2016 at 09:09
Subject:    VAT Invoice - Quote Ref: ES0142570


Good Afternoon,

Please find attached a copy of the VAT invoice as requested.

Regards
Tracy Whitehouse
Finance Team
British Gas Business| Floor 1| 4 Callaghan Square| Cardiff| CF10 5BT
http://intranet/C12/C12/Brand%20and%20communications%20toolk/Email%20signatures/British-Gas-Top-25-gptw.jpg




_____________________________________________________________________
The information contained in or attached to this email is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal professional or other privilege (or other rules or laws with similar effect in jurisdictions outside England and Wales).

The views expressed in this email are not necessarily the views of Centrica plc, and the company, its directors, officers or employees make no representation or accept any liability for its accuracy or completeness unless expressly stated to the contrary.

PH Jones is a trading name of British Gas Social Housing Limited. British Gas Social Housing Limited (company no: 01026007), British Gas Trading Limited (company no: 03078711), British Gas Services Limited (company no: 3141243), British Gas Insurance Limited (company no: 06608316), British Gas New Heating Limited (company no: 06723244), British Gas Services (Commercial) Limited (company no: 07385984) and Centrica Energy (Trading) Limited (company no: 02877397) are all wholly owned subsidiaries of Centrica plc (company no: 3033654). Each company is registered in England and Wales with a registered office at Millstream, Maidenhead Road, Windsor, Berkshire SL4 5GD.

British Gas Insurance Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. British Gas Services Limited and Centrica Energy (Trading) Limited are authorised and regulated by the Financial Conduct Authority. British Gas Trading Limited is an appointed representative of British Gas Services Limited which is authorised and regulated by the Financial Conduct Authority.

In the only sample I have seen before, there is an attached file named archive-0910001923884.docm which has a VirusTotal detection rate of 3/52. Analysis of this document is pending, but it is likely to drop either the Dridex banking trojan or Locky ransomware.

UPDATE 1

The Hybrid Analysis of the document plus the VirusTotal scan of the dropped EXE look like Dridex. The download location for that document was:

skropotov.ru/system/logs/87h754.exe

C2 to block:
80.86.91.232 (PlusServer, Germany)

UPDATE 2 

The comments on this VT report indicate other download locations:

school62.dp.ua/new_year/balls/87h754.exe
skropotov.ru/system/logs/87h754.exe
designis.com.ua/admin/images/87h754.exe
armo.sk/system/logs/87h754.exe
eyesquare.tn/system/logs/87h754.exe


Friday, 19 February 2016

Malware spam: "Unpaid Invoice #350" / credit control [invoices@thistleremovals.co.uk]

This fake financial spam does not come from Thistle Removals but is instead a simple forgery with a malicious attachment.
From     credit control [invoices@thistleremovals.co.uk]
Date     Fri, 19 Feb 2016 17:52:49 +0200
Subject     Unpaid Invoice #350
Message text

Please see attached letter and a copy of the original invoice.
Attached is a file with a semirandomly name, e.g. RG026052317614-SIG.zip which contains a malicious script. This script then downloads an executable from the same locations as found here, dropping a malicious executable with a detection rate of 10/55 (changed from earlier today).

Third party analysis (thank you) indicates that this then phones home to the following locations:

91.121.97.170/main.php (OVH, France)
46.4.239.76/main.php
(Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)
31.184.233.106/main.php (Virty.io, Russia)

The payload is the Locky ransomware.

Recommended blocklist:
91.121.97.170
46.4.239.64/27
31.184.233.106


Malware spam: "Invoice FEB-23456789" from "Accounting Specialist"

This fake financial spam comes from random senders, the attachment is malicious and drops the Locky ransomware:

From:    Kenya Becker
Date:    19 February 2016 at 11:59
Subject:    Invoice FEB-92031923


Good morning,

Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice.
If you have any questions please let us know.

Thank you!

Kenya Becker
Accounting Specialist

==================

From:    Toni Jacobson
Date:    19 February 2016 at 12:10
Subject:    Invoice FEB-63396033


Good morning,

Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice.
If you have any questions please let us know.

Thank you!

Toni Jacobson
Accounting Specialist 
Attached is a file with a semirandom name similar to invoice_feb-92031923.doc (Sample VirusTotal report) which contains XML that looks like this [pastebin]. Malwr analysis of these samples [1] [2] shows it downloading a malicious executable from:

ratgeber-beziehung.de/5/5.exe
www.proteusnet.it/6/6.exe

If recent patterns are followed, there will be several different download locations with different versions of the file at each. I will let you know if I get these locations. The binaries has a detection rate of 7/55 and 6/54 and these Malwr reports [1] [2] [3] indicate that it phones home to:

85.25.138.187 (PlusServer AG, Germany)
31.41.47.3 (Relink Ltd, Russia)


Other samples are being analysed, but in the meantime I recommend that you block traffic to:

85.25.138.187
31.41.47.3


UPDATE 1

Some additional download locations from these Malwr reports [1] [2] [3]:

ecoledecorroy.be/1/1.exe
animar.net.pl/3/3.exe
luigicalabrese.it/7/7.exe


..stil working on those other locations!

UPDATE 2

Two other locations are revealed in these Malwr reports [1] [2]:

http://lasmak.pl/2/2.exe
http://suicast.de/4/4.exe





Malware spam: "Rechnung Nr. 2016_131" / fueldner1A0@lfw-ludwigslust.de

This German language spam does not comes from LFW Ludwigsluster but is instead a simple forgery with a malicious attachment. The sender's email address is somewhat randomised, as is the name of the attachment.

From:    fueldner1A0@lfw-ludwigslust.de
Date:    19 February 2016 at 09:10
Subject:    Rechnung Nr. 2016_131

Sehr geehrte Damen und Herren,

bitte korrigieren Sie auch bei der Rechnung im Anhang den Adressaten:

LFW Ludwigsluster Fleisch- und Wurstspezialitäten
GmbH & Co.KG

Vielen Dank!

Mit freundlichen Grüßen

Anke Füldner

Finanzbuchhaltung

Tel.: 03874-422038
Fax: 03874-4220844

LOGO LFW

LFW Ludwigsluster Fleisch- und Wurstspezialitäten
GmbH & Co.KG, Bauernallee 9, 19288 Ludwigslust
HRA 1715, Amtsgericht Schwerin
Geschäftsführer: U.Müller, U.Warncke
USt.-IdNr. DE202820580, St.Nr. 08715803209
Diese E-Mail kann vertrauliche und/oder rechtlich geschützte Informationen enthalten. Wenn Sie nicht der richtige Adressant sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten diese E-Mail und alle Anhänge und Ausdrucke unverzüglich.
Das Gebrauchen, Publizieren, Kopieren oder Ausdrucken sowie die unbefugte Weitergabe des Inhalts dieser E-Mail ist nicht erlaubt.
This e-mail and any attached files may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.

Attached is a file with a format similar to RG460634280127-SIG.zip which contains a malicious javascript in the format RG6459762168-SIG.js or similar. At the moment, I have seen two samples, both with zero detection rates at VirusTotal [1] [2]. Malwr analysis of one of the samples shows that a binary is downloaded from:

mondero.ru/system/logs/56y4g45gh45h

Other samples probably have different download locations. This executable has a detection rate of 7/53 and it appears to drop another executable with a relatively high detection rate of 26/55. Both the VirusTotal and Malwr reports indicate that this is the Locky ransomware from the people who usually push Dridex.

The malware phones home to:

46.4.239.76 (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)

But in fact the entire 46.4.239.64/27 range looks pretty bad and I recommend that you block it.

Incidentally, full credit to the company involved in putting this massive banner on their website warning people about the fake email..


UPDATE

An additional analysis from a trusted source (thank you). Download locations are:

mondero.ru/system/logs/56y4g45gh45h
tcpos.com.vn/system/logs/56y4g45gh45h
www.bag-online.com/system/logs/56y4g45gh45h


The malware phones home to:

46.4.239.76/main.php
94.242.57.45/main.php
wblejsfob.pw/main.php
kqlxtqptsmys.in/main.php
cgavqeodnop.it/main.php
pvwinlrmwvccuo.eu/main.php
dltvwp.it/main.php
uxvvm.us/main.php


The active C2s (some may be sinkholes) appear to be:

46.4.239.76 (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)
94.242.57.45 (vstoike.com / Fishnet Communications, Russia)
185.46.11.239 (Agava Ltd, Russia)
69.195.129.70 (Joes Datacenter, US)


Analysis those C2 locations give a recommended blocklist of:
46.4.239.64/27
94.242.57.45
185.46.11.239
69.195.129.70


Thursday, 18 February 2016

Fake job: resume@gbjobsite.com

This fake job offer looks like it might be from the creators of the Dridex banking trojan. It comes with various subjects:
Cooperation with the great company
We offer new vacancy
employees needed
cooperation with an international company
hi!
The crisis has finished! Work with us!
beneficial offer
Wanted regional manageres
Hello!
partial occupation
Working with partial occupancy
beneficial proposition
The part-time employment

The body text is always very similar:
Hello!

We are looking for employees working remotely.

My name is yvon, am the personnel manager of a large UK company.
Most of the work you can do from home, that is, at a distance.
Salary is 1000£ - 4000£.

If you are interested in our offer, mail to us your answer on resume@gbjobsite.com and we will send you an extensive information as soon as possible.
Best regards!
Personal Staff 
The spam appears to originate from within the sender's own domain, but this is just a simple forgery. Emails sent to the domain gbjobsite.com are sent to an innocuous-looking but nonetheless evil IP of 172.246.47.65 (Enzu Inc, US). Nameservers are using the domain abcdns.biz. Domain registration details are either fake or anonymous.

The nature of the job is illegal, and will most likely involve money laundering, handling stolen goods or other fraudulent activities. Avoid at all costs.

Fake job: "Personal Assitant and Administrative officer needed." / Walter.Smith [sales@ema.su]

This job offer is a fake, and is actually intended to recruit people for criminal activities such as money laundering or receiving stolen goods.

From:    Walter.Smith [sales@ema.su]
Reply-To:    waltersmith7@ig.com.br
Date:    17 February 2016 at 23:54
Subject:    Re: Personal Assitant and Administrative officer needed.

Hello,

I'm looking for someone who can handle my business & personal errands at his/her spare time as I keep traveling a lot. Someone who can offer me these

services mentioned below:

* Mail services (Receive my mails and drop them off at UPS or USPS)
* Shop for Gifts
* Bill payment (pay my bills on my behalf, access to the funds would be provided by me)
* Sit for delivery (at your home) or pick items up at nearby post office at your convenience.

Let me know if you will be able to offer me any or all of these services and 10% of my income weekly would be your weekly payment. If you will be available for this job position ,send me a confirmation e-mail and send me your details like complete name/address/country/state/ city/zip/phone or you could even attach your resume.I do have a pile up of work and a number of unattended duties which you can assist me with soon.

Please note that this job DOES NOT require any financial obligation of any sort from you as I would be catering for all expenses.

I look forward to hearing from you.

Sincerely,

Mr.Walter.Smith.
It appears to come from the domain ema.su (".su" is the old domain for the Soviet Union, still around today) but in face the Reply-To address is waltersmith7@ig.com.br. The email was routed through an insecure server at 50.47.43.21 (mail.plantsmartsales.com) and apparently originated from 71.2.1.212 (apparently in Warren, Ohio).

Despite appearing to be a "no risk" proposition with a 10% payoff, all the money being handled is actually stolen, and the person handling it will be liable for 100% of the loss and could face legal action. Any goods handled and reshipped will be stolen, and any correspondence sent and received will be fraudulent. Avoid this at all costs.

Malware spam: "Payment" / Laurence Cottle [lcottle60@gmail.com]

This very widespread spam run comes with a malicious attachment which drops the Locky ransomware. Note that the email address has a random number appeneded to it

From:    Laurence Cottle [lcottle60@gmail.com]
Date:    18 February 2016 at 13:35
Subject:    Payment

Hi

Any chance of getting this invoice paid, please?

Many thanks

Laurence

Attached is a file unnamed document.docm which comes in several different versions.

Third-party analysis (thank you!) reveals that there are download locations at:

acilkiyafetgulertekstil.com/system/logs/7647gd7b43f43.exe
alkofuror.com/system/engine/7647gd7b43f43.exe
merichome.com/system/logs/7647gd7b43f43.exe
organichorsesupplements.co.uk/system/logs/7647gd7b43f43.exe
shop.zoomyoo.com/image/templates/7647gd7b43f43.exe
tutikutyu.hu/system/logs/7647gd7b43f43.exe
vipkalyan.com.ua/system/logs/7647gd7b43f43.exe

This dropped a malicious binary with a detection rate of 3/55, since updated to one with a detection rate of 4/55.

MD5s:
a40d4d655cd638e7d52f7a6cdedc5a8e  
9f622033cfe7234645c3c2d922ed5279

The malware phones home to:

195.154.241.208/main.php
46.4.239.76/main.php
94.242.57.45/main.php
kqlxtqptsmys.in/main.php
cgavqeodnop.it/main.php
pvwinlrmwvccuo.eu/main.php
dltvwp.it/main.php
uxvvm.us/main.php
wblejsfob.pw/main.php


Out of those, the most supect IPs are:

195.154.241.208 (Iliad / Online S.A.S., FR)
46.4.239.76 (myidealhost.com / Hetzner, DE)
94.242.57.45 (Vstoike.com / Fishnet Communications, RU)
69.195.129.70 (Joes Datacenter LLC, US)


Recommended blocklist:
195.154.241.208
46.4.239.76
94.242.57.45
69.195.129.70



Malware spam: Copy of Invoice 20161802-12345678 leads to Locky ransomware

This fake financial spam spoofs different senders and different companies, with a different reference number in each.

From:    Devon Vincent
Date:    18 February 2016 at 08:14
Subject:    Copy of Invoice 20161802-99813731

Dear [redacted],

Please find attached Invoice 20161802-99813731 for your attention.

For Pricing or other general enquiries please contact your local Sales Team.

Yours Faithfully,

Devon Vincent
Tenet Healthcare Corporation    www.tenethealth.com

=================

From:    Elvia Saunders
Date:    18 February 2016 at 09:19
Subject:    Copy of Invoice 20161802-48538491

Dear [redacted],

Please find attached Invoice 20161802-48538491 for your attention.

For Pricing or other general enquiries please contact your local Sales Team.

Yours Faithfully,

Elvia Saunders
The PNC Financial Services Group, Inc.  www.pnc.com

I have seen two variants of the document (VirusTotal [1] [2]). Analysis of the documents is pending, however it is likely to be the Dridex banking trojan.

UPDATE 1

There is a second variant of the spam with essentially the same (undefined) payload:

From:    Heather Ewing
Date:    18 February 2016 at 08:41
Subject:    Invoice

Dear Sir/Madam,

I trust this email finds you well,

Please see attached file regarding clients recent bill. Should you need further assistances lease feel free to email us.

Best Regards,

Heather Ewing
The Bank of New York Mellon Corporation www.bnymellon.com
In this case the attachment was named Invoice51633050.doc - automated analysis is inconclusive. An examination of the XML attachment [pastebin] indicates that it may be malformed.

UPDATE 2

A contact (thank you) analysed one of the samples and found that the document downloaded an executable from:

killerjeff.free.fr/2/2.exe

According to this Malwr report this is the Locky ransomware, and it phones home to:

95.181.171.58 (QWARTA LLC, Russia)
69.195.129.70 (Joes Data Center, US)


I suspect that the second one may be a sinkhole, but there should be no ill effects from blocking it.


UPDATE 3

A couple more samples have come to light [1] [2] one of which shows a new phone home location of:

185.14.30.97 (ITL Serverius, NL)

UPDATE 4

From user Ralf9000 at VirusTotal here are some more download locations:

onigirigohan.web.fc2.com/1/1.exe
killerjeff.free.fr/2/2.exe
uponor.otistores.com/3/3.exe
premium34.tmweb.ru/4/4.exe
bebikiask.bc00.info/5/5.exe
avp-mech.ru/7/7.exe

6.exe seems to be missing. Analysis of these is pending.

UPDATE 5

According to these Malwr reports on all the available samples [1] [2] [3] [4] [5] [6] the various versions of Locky seem to call back to:


95.181.171.58 (QWARTA LLC, Russia)
31.41.47.37 (Relink Ltd, Russia)
185.14.30.97 (ITL, Ukraine / Serverius, Netherlands)
69.195.129.70 (Joes Datacenter, US)

I have omitted what appear to be obvious sinkholes.

Recommended blocklist:
95.181.171.58
31.41.47.37
185.14.30.97
69.195.129.70


Wednesday, 17 February 2016

Malware spam: tracking documents / cmsharpscan@gmail.com

This fake document scan spam has a malicious attachment:

From:    cmsharpscan3589@gmail.com
Date:    17 February 2016 at 14:32
Subject:    tracking documents

Reply to: cmsharpscan@gmail.com [cmsharpscan@gmail.com]
Device Name: Not Set
Device Model: MX-2640N
Location: Not Set

File Format: DOC (Medium)
Resolution: 200dpi x 200dpi

Attached file is scanned image in DOC format.
I have only seen a single sample of this with an attachment cmsharpscan@gmail.com_20160217_132046.docm which has a VirusTotal detection rate of 7/54. According the the Malwr analysis of the document, the payload is the Locky ransomware and is identical to the earlier attach described here.

Malware spam: "Rechnung 2016-11365" / mpsmobile GmbH [info@mpsmobile.de]

This bilingual spam does not come from mpsmobile but is instead a simple forgery with a malicious attachment.

From:    mpsmobile GmbH [info@mpsmobile.de]
Date:    17 February 2016 at 12:23
Subject:    Rechnung 2016-11365

Sehr geehrte Damen und Herren,

anbei erhalten Sie das Dokument 'Rechnung 2016-11365' im DOC-Format. Um es betrachten und ausdrucken zu können, ist der DOC Reader erforderlich. Diesen können Sie sich kostenlos in der aktuellen Version aus dem Internet installieren.

Mit freundlichen Grüssen
mpsmobile Team

______________________________
_____

Dear Ladies and Gentlemen,

please find attached document ''Rechnung 2016-11365' im DOC-Format. To view and print these forms, you need the DOC Reader, which can be downloaded on the Internet free of charge.

Best regards
mpsmobile GmbH
mpsmobile GmbH
Brühlstrasse 42
88416 Ochsenhausen
Tel: +49 7352 923 23 0
Fax: +49 7352 923 23-29
Email: info@mpsmobile.de
Handelsregister Amstgericht ULM HRB 727290
Sitz der Gesellschaft: Ochsenhausen
UStIDNr: DE 281079008
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.

In the sample I saw, the attachment was named 19875_Rechnung_2016-11365_20160215.docm and has a VirusTotal detection rate of 5/54.

According to this Malwr report  the binary attempts to download the Locky ransomware (seemingly a product of those behind the Dridex banking trojan). It attempts to download a binary from:

feestineendoos.nl/system/logs/7623dh3f.exe?.7055475

This dropped file has a detection rate of 3/53.  Analysis of the file is pending, but overall this has been made more complicated because the Locky installer calls out to a number of domains, many of which actually appear to have been sinkholed.

Machines infected with Locky will display a message similar to this:


Unfortunately, the only known way to recover from this is to restore files from offline backup once the infection has been removed from the PC.

UPDATE

Another version plopped into my inbox, VT 7/54  and according to this Malwr report, it downloads from:

nadeenk.sa/system/logs/7623dh3f.exe?.7055475

This variant POSTs to a server at:

46.4.239.76 (Myidealhost.com  / Hetzner, Germany)

It is likely that the C2 server (identified in the previous report) is:

85.25.149.246 (PlusServer AG, Germany)

Recommended blocklist:
85.25.149.246
46.4.239.76


Malware spam: Fwd:Accumsan Neque LLC Updated Invoice / Please turn on the Edit mode and Macroses!

This malware spam may come from several different companies, but I have only a single sample. It is notable for the mis-spelling of "Macros" as "Macroses" in the document.

From:    Fletcher Oliver [angel@jiahuan.com.tw]
Date:    17 February 2016 at 06:23
Subject:    Fwd:Accumsan Neque LLC Updated Invoice

Good morning

Please check the bill in attachment. In order to avoid fine  you have to pay in 12 hours.

Best regards

Fletcher Oliver
Accumsan Neque LLC

Attached is a document Q7FX9ZH.doc with the distinctive text Attention! To view this document, please turn on the Edit mode and Macroses!

Needless to say, enabling Edit mode and Macroses is a Very Bad Idea. The VirusTotal detection rate for this file is just 2/54. Hybrid Analysis [1] [2] shows that the macro first downloads from:

www.design-i-do.com/mgs.jpg?OOUxs4smZLQtUBK=54

This looks to be an unremarkable JPEG file..

(Note that I have munged the JPEG slightly to stop virus scanners triggering). As far as I can tell, the JPEG actually contains data that is decrypted by the macro (a technique called steganography). A malicious VBS is created [pastebin] and a malicious EXE file is dropped with a VirusTotal result of 7/54.

Automated analysis of the dropped binary [1] [2] shows that it phones home to:

216.59.16.25 (Immedion LLC, US / VirtuaServer Informica Ltda, Brazil)

I strongly recommend that you block traffic to that IP. Payload is uncertain, but possibly the Dridex banking trojan.

Tuesday, 16 February 2016

Malware spam: ATTN: Invoice J-06593788 from random companies

This fake financial spam does not come from Apache Corporation but instead is a simple forgery with a malicious attachment.
From:    June Rojas [RojasJune95@myfairpoint.net]
Date:    16 February 2016 at 09:34
Subject:    ATTN: Invoice J-06593788

Dear nhardy,

Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice.

Let us know if you have any questions.

We greatly appreciate your business!

June Rojas
Apache Corporation      www.apachecorp.com
Other versions of this spam may come from other corporations. In the single sample I have seen there is an attached file invoice_J-06593788.doc which has a VirusTotal detection rate of 5/54. Analysis is pending, however this is likely to be the Dridex banking trojan.

UPDATE 1

This Dridex run exhibits a change in behaviour from previous ones. I acquired three samples of the spam run and ran the Hybrid Analysis report on them [1] [2] [3] and it shows that the macro dowloads from one of the following locations:

www.southlife.church/34gf5y/r34f3345g.exe
www.iglobali.com/34gf5y/r34f3345g.exe
www.jesusdenazaret.com.ve/34gf5y/r34f3345g.exe


Curiously, the binary downloaded from each location is different, with the following MD5s:

CBE75061EB46ADABC434EAD22F85B36E
B06D9DD17C69ED2AE75D9E40B2631B42
FB6CA1CD232151D667F6CD2484FEE8C8


Each one phones home to a different location, the ones I have identified are:

109.234.38.35 (McHost.ru, Russia)
86.104.134.144 (One Telecom SRL, Moldova)
195.64.154.14 (Ukrainian Internet Names Center, Ukraine)


There may be other samples with other behaviour.

UPDATE 2

It is possible that this is dropping ransomware, not Dridex. One other download location identified here:

www.villaggio.airwave.at/34gf5y/r34f3345g.exe

This one has an MD5 of:

1FD40A253BAB50AED41C285E982FCA9C

Detection rate is 5/53 but I do not yet know where this phones home to.

UPDATE 3

That last sample phones home to:

91.195.12.185 (PE Astakhov Pavel Viktorovich, Ukraine)

according to this Hybrid Analysis.

Recommended blocklist:
109.234.38.0/24
86.104.134.128/25
195.64.154.14

91.195.12.185 

UPDATE 4

It appears that this is dropping some ransomware called "Locky" apparently by the makers of Dridex, according to this.

Malware spam: "receipt" / "Accounts" [accounts@aacarpetsandfurniture.co.uk]

This fake financial spam does not come from AA Carpets and Furniture, but is instead a simple forgery with a malicious attachment:

From     "Accounts" [accounts@aacarpetsandfurniture.co.uk]
Date     Tue, 16 Feb 2016 02:15:52 -0700
Subject     receipt

Please find attached receipt

Kind Regards

Christine

Accounts

12-14 Leagrave Road
Luton
Beds
LU4 8HZ

T: 01582488449
F: 01582400866
W:www.aacfdirect.co.uk
E: accounts@aacarpetsandfurniture.co.uk
Attached is a file CCE06102015_00000.docm of which I have only seen a single sample, with a detection rate of 5/54. Analysis is pending, however this would appear to be the Dridex banking trojan.

Malware spam: fmis@oldham.gov.uk / Remittance Advice : Tue, 16 Feb 2016 14:18:52 +0530

This spam does not come from Oldham Council but is is instead a simple forgery with a malicious attachment. The timestamp in the subject line varies, probably generated by the infected computer sending the spam.

From:    fmis@oldham.gov.uk
Date:    16 February 2016 at 08:48
Subject:    Remittance Advice : Tue, 16 Feb 2016 14:18:52 +0530


**********************************************************************
Confidentiality: This email and its contents and any attachments are intended
only for the above named. As the email may contain confidential or legally privileged information,
if you are not, or suspect that you are not, the above named or the person responsible
for delivery of the message to the above named, please delete or destroy the
email and any attachments immediately.”

Security and Viruses: This note confirms that this email message has been
swept for the presence of computer viruses. However, we advise that in keeping
with good management practice, the recipient should ensure that the email together
with any attachments are virus free by running a virus scan themselves.
We cannot accept any responsibility for any damage or loss caused by software viruses.

Monitoring: The Council undertakes monitoring of both incoming and outgoing emails.
You should therefore be aware that if you send an email to a person within the Council
it may be subject to any monitoring deemed necessary by the organisation from time to time.
The views of the author may not necessarily reflect those of the Council.

Access as a public body: The Council may be required to disclose this email (or any response to it)
under the Freedom of Information Act, 2000, unless the information in it is covered
by one of the exemptions in the Act.

Legal documents: The Council does not accept service of legal documents by email.
**********************************************************************
I have only seen a single copy of this spam, with an attachment 201602_4_2218.docm which has a VirusTotal detection rate of 5/54. Analysis is pending, but the payload is likely to be the Dridex banking trojan.

UPDATE

This spam is related to this one.  Automated analysis of the samples [1] [2] [3] [4] plus some private sources indicate download locations for this and other related campaigns today at:

labelleflowers.co.uk/09u8h76f/65fg67n
lepeigneur.power-heberg.com/09u8h76f/65fg67n
yurtdisiegitim.tv/09u8h76f/65fg67n
hg9.free.fr/09u8h76f/65fg67n
jtonimages.perso.sfr.fr/09u8h76f/65fg67n
test.blago.md/09u8h76f/65fg67n


This file has a detection rate of 3/54. According to those reports, it phones home to:

151.248.117.140 (Reg.ru, Russia)
87.229.86.20 (Znet Telekom, Hungary)
50.56.184.194 (Rackspace, US)


Recommended blocklist:
151.248.117.140
87.229.86.20
50.56.184.194


Monday, 15 February 2016

Malware spam: Overdue Invoice 012345 - COMPANY NAME

This malicious spam appears to come from many different senders and companies. It has a malicious attachment:
From:    Brandi Riley [BrandiRiley21849@horrod.com]
Date:    15 February 2016 at 12:20
Subject:    Overdue Invoice 089737 - COMS PLC

Dear Customer,

The payment is overdue. Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Brandi Riley

COMS PLC

Attached is a file in the format INVOICE-UK865916 2015 NOV.doc which comes in several different versions (VirusTotal results [1] [2] [3]). The Hybrid Analysis shows an attempted download from:

node1.beckerdrapkin.com/fiscal/auditreport.php

This is hosted on an IP that you can assume to be malicious:

193.32.68.40 (Veraton Projects, BZ / DE)

The dropped executable (detection rate 4/54) then phones home to:

194.58.92.2 (Reg.Ru Hosting, Russia)
202.158.123.130 (Cyberindo Aditama, Indonesia)
185.24.92.229 (System Projects LLC, Russia)


The payload is the Dridex banking trojan.

Recommended blocklist:
193.32.68.40
194.58.92.2
202.158.123.130
185.24.92.229