This spam appears to come from random senders, and leads to Locky ransomware:
From: Graham Roman Date: 23 May 2016 at 11:59 Subject: Re:
Hi [redacted]
Please find attached the file we spoke about yesterday.
Thank you,
Graham Roman
PCM, Inc.
Attached is a ZIP file starting with copy_invoice_ and then a random sequence. This contains a malicious script file which in the sample I analysed downloads an obfuscated binary from:
Automated analysis of the script [1][2] shows it dropping a file klA1KMQj2D.exe which has a VirusTotal detection rate of 5/56. Those prior reports plus these additional analyses of the binary [3][4][5] show network traffic to:
This spam comes from random senders and has a malicious attachment. Here is an example:
From: Frederic Spears Date: 20 May 2016 at 10:29 Subject: Re:
Hi [redacted],
I wanted to follow up with you about your refund.
Please find the attached document
Regards,
Frederic Spears
CBS Corporation
The company name and sender's name varies from message to message. Attached is a ZIP file which contains elements of the recipient's name, which in turn contains one of a variety of malicious scripts. Out of the samples I have seen, I have so far found download locations of:
Only three of those download locations work so far (VirusTotal results [1][2][3]) and automated analysis of those [4][5][6][7][8] shows behaviour consistent with Locky ransomware. All of those reports show the malware phoning home to:
From: Britney Hart Date: 16 May 2016 at 13:15 Subject: Re:
hi [redacted]
I have attached a revised spreadsheet contains customers. Please check if it's correct
Regards, Britney Hart
Other variations of the body text seen so far:
I have attached a revised spreadsheet contains general journal entries. Please check if it's correct I have attached a revised spreadsheet contains estimates. Please check if it's correct
Attached is a ZIP file with three identical malicious .js files. The ones I have seen so far download from
There are probably other download locations. Each one downloads a slightly different binary (VirusTotal prognosis [1][2][3]) and automated analysis [5][6][7][8][9] shows the malware phoning home to:
From: victim@victimdomain.tld To: victim@victimdomain.tld Date: 11 May 2016 at 12:39 Subject: Emailing: Photo 05-11-2016, 03 26 04
Your message is ready to be sent with the following file or link attachments:
Photo 05-11-2016, 03 26 04
Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments. Check your e-mail security settings to determine how attachments are handled.
It appears to come from the sender's own email address, but this is a simple forgery (explained here). Attached is a ZIP file with a name similar to Photo 05-11-2016, 03 26 04.zip (the numbers in the attachment
match the references in the email). It contains a .js file with a similar name.
Trusted third-party analysis (thank you!) shows the various scripts downloading from:
This drops a file with a detection rate of 3/56. This is likely to be Locky ransomware, a full analysis is pending. However an earlier Locky campaign today phoned home to:
185.82.202.170 (Host Sailor, United Arab Emirates) 88.214.236.11 (Overoptic Systems, UK / Russia) 5.34.183.40 (ITL, Ukraine)
According to a DeepViz report, this sample has identical characteristics.
This fairly brief spam has a malicious attachment:
From: Alexandra Nunez Date: 10 May 2016 at 21:10 Subject: Re:
hi [redacted],
As promised, the document you requested is attached
Regards,
Alexandra Nunez
The name of the sender varies. Attached is a ZIP file with a name export_xls_nnn.zip or wire_xls_nnn.zip (where nnn are random letters and numbers) which contains multiple copies of the same malicious .js file (all apparently beginning urgent). These scripts download slightly different binaries from several locations including:
I blogged about "Project Management International" last year, an outfit running (in my personal opinion) fake or low-quality seminars, at that time using the domain projectmanagementinternational.org.
This outfit is run by Anthony Christopher Jones and Patchree "Patty" Patchrint (aka Patty Jones) from California. I've written about this oufit several times in the past five years, but it turns out that Jones and Patchrint have been running similar schemes since 2008.
In 2011 ABC15 news in Arizona investigated a previous incarnation of these scheme, named "NAPPPA"...
These Jones / Patchrint operations seem to pop up from time to time and then disappear, usually after being exposed for what they are. This latest iteration of the fake "Project Management International" organisation uses the domain projmanagementintl.org. It's a flashy-looking site, but really it is just made from a standard template.
The "Registration" page lists some prestigious universities as hosting these courses.
From what I can tell, the usual thing that happens is that at the last minute the location is changed to a nearby hotel or conference centre, and it seems that no booking are ever made with the university. All feedback on the courses seems to indicate that they are all of very poor quality. There are numerous reports that the people hired to teach these courses are also not paid as promised.
The courses themselves are advertised through spam email (example here)
The Project Management Fundamentals Course
will be offered May 25-27, 2016 at the University of Utah campus in Salt Lake City, Utah. Project management professionals, business and technology professionals, students, and educators are invited to register at the Project Management International website here .
May 25-27, 2016 Salt Lake City, Utah8:00am - 5:00pm
The Project Management Fundamentals Course
is designed for those seeking professional project management certification. It serves as a thorough introduction to the fundamentals of project management. Those seeking additional credentials such as the PMP®/PgMP®, PMI-SP®, and PMI-RMP® will benefit from this dynamic and interactive work session, while those currently holding credentials will find the certification to be an enhancement as well as the most up to date advanced professional development.
Project Management Fundamentals Course provides 24 hours of project management education hours for both PMI's Certified Associate in Project Management (CAPM)
® and Project Management Professional (PMP) certifications. Additionally, the Master Certification provides 24 Professional Development Units (PDUs) for current holders of PMP®/PgMP®, PMI-SP®, and PMI-RMP® credentials. Additionally, the program awards 2.4 Continuing Education Units (CEUs) upon request.
Program Description
Our certificate program teaches technical and business professionals how to master the critical skills of project management techniques as part of their technical career development.
The skills developed in the Project Management Fundamentals Course apply to large and small projects, product design and development efforts, construction projects, IT projects, software development, and any project with critical performance, time, and budget targets.
Our approach to project management education offers proven, results-focused learning.
Courses are developed and facilitated by professional subject experts with extensive industrial experience. Course emphasis is on providing practical skills and tools supported by relevant case examples.
Tuition
Tuition for the three-day Project Management Fundamentals Course is $595.00
Program Schedule and Content
1.Project Initiation, Costing, and Selection, Day 1
2.Project Organization and Leadership, Day 1
3.Detailed Project Planning, Day 2
4.Project Monitoring and Control, Day 2
5.Project Risk and Stakeholder Management, Day 3
Benefits
·A Project Management International Certificate of Accomplishment is awarded upon completion of the three day program. ·
Our instructors have extensive industrial experience. They focus on providing you with practical skills and tools using relevant case examples.· Each class is highly focused and promotes maximum interaction.·
You can network with other project management professionals from a variety of industries.· Earn Professional Development Units (PDUs) for maintenance of certification under the PMI Continuing Certification Requirements Program.·
Applicants for PMI's Certified Associate in Project Management (CAPM)® and Project Management Professional (PMP) certifications will receive 24 project management education hours towards the requirements for eligibility.
Registration
Participants may reserve a seat online at the Project Management International website
, by calling the Program Office toll-free at (888) 201-6372, or by sending their name and contact information via email to the Program Registrar.
Upon receiving your registration, a confirmation email is sent to registrants that include session site information, travel information, program description, and details on how to confirm attendance and make payment arrangements.
To unsubscribe from this mailing list, simply reply to this message and write EXCLUDE to be removed from future notices.
Contact numbers listed on the spamvertised site are:
If you see these telephone numbers on other seminar sites, then it will be the same operation. The site quotes a PO box as a contact address but reveals no other information about this so-called corporation.
Project Management International PO BOX 812112 Los Angeles, California 90081
If you feel you have been scammed by this operation then I urge you to report it to the police, FBI, FTC or your local AG's Office. If you would like to share your experiences (positive or negative) then please feel free to use the Comments section below.
This fake financial spam leads to malware. Details change slightly from email to email:
From: Administrator [adminHb@victimdomain.tld] Date: 5 May 2016 at 11:29 Subject: Statement 6BBC0E
Please See Attached
______________________________________________________________________ Scanned by MailDefender Plus, powered by Symantec Email Security.cloud http://www.intycascade.com/products/symantec/ ______________________________________________________________________ --- This email has been checked for viruses by Avast antivirus software. http://www.avast.com
It must be safe.. scanned by both Symantec and Avast! Well, of course that's just BS and the attached DOC file leads to malware, specifically the same payload as seen in this slightly earlier spam run.
This fake document scan appears to come from within the victim's own domain (but this is just a simple forgery) and has a malicious attachment:
From: DocuCentre-IV [DocuCentre1230@victimdomain.tld] Date: 5 May 2016 at 10:27 Subject: Scan Data
Number of Images: 1
Attachment File Type: PDF
----=_Part_45251_4627454344.4826709420825--
Details vary slightly from message to message. Attached is a DOC file (not a PDF) starting with PIC, DOC or IMG in the samples I have seen plus a random number. Typical VirusTotal detection rates are 6/56 [1][2][3][4][5][6]. Various automated analyses of these documents [7][8][9][10][11][12] [13][14][15][16][17] show a binary being downloaded from the following locations:
This spam email comes with a malicious attachment.
From: Elfrida Wymer [WymerElfrida9172@recordshred.com] Date: 3 May 2016 at 12:40 Subject: You Are Fired BBF904D
We regret to inform you, yet we no longer need require your services. Attached you can find additional information and the payout roll for the last month.
It's a bit of a self-fulfilling prophecy. If you are daft enough to download the ZIP file, and extract and run the script then perhaps you WILL get fired.
This fake financial spam has a malicious attachment. It comes from random senders. Last week a fake "Second Reminder" spam was sent out.
From: Ernestine Perkins Date: 3 May 2016 at 08:54 Subject: Third Reminder - Outstanding Account
Dear Client,
We have recently sent you a number of letters to remind you that the balance of $9308.48 was overdue. For details please check document attached to this mail
We ask again that if you have any queries or are not able to make full payment immediately, please contact us.
Regards,
Ernestine Perkins Franchise - Sales Manager / Director - Business Co
Attached is a ZIP file which in the samples I have seen begins with Scan_ or Document_ each one of which contains four identical copies of the same script, e.g.:
Typical detection rates for the scripts seem to be about 3/56. The samples I have seen download a malicious binary from one of the following locations (there are probably more): digigoweb.in/k3lxe rfacine.com.br/z0odld boontur.com/b2hskde
These binaries are all slightly different, with detection rates of 4 to 6 out of 56 [1][2][3]. Various automated analyses [4][5][6][7][8][9][10][11][12][13][14] show that this is Locky ransomware, and it phones home to:
From: Janis Faulkner [FaulknerJanis8359@ono.com] Date: 29 April 2016 at 11:13 Subject: Second Reminder - Unpaid Invoice
We wrote to you recently reminding you of the outstanding amount of $8212.88 for Invoice number #304667, but it appears to remain unpaid. For details please check invoice attached to this mail
Regards,
Janis Faulkner Chief Executive Officer - Food Packaging Company
Attached is a ZIP file with a name similar to unpaid_invoice551.zip which contains a randomly-named script. Oddly, most of the script appears to be text copy-and-pasted from the Avira website.
The scripts I have seen download slightly different binaries from the following locations:
VirusTotal detection rates are in the range of 8/56 to 10/56 [1][2][3][4]. In addition to those reports, various automated analyses [5][6][7][8][9] show that this is Locky ransomware phoning home to:
This fake document scan email appears to come from within the victim's own domain, but it doesn't. Instead it is a simple forgery with a malicious attachment.
There is no body text. Attached is a ZIP file with the recipients email address forming part of the name plus a couple of random numbers. These ZIP files contain a variety of malicious scripts, the ones that I have seen download a binary from:
The payload is Locky ransomware. This is hosted on what appears to be a bad server at:
134.249.238.140 (Kyivstar GSM, Ukraine)
Kyivstar is a GSM network, something hosted on this IP is usually a sure sign of a botnet. A lookup of the giotuipo.at domain shows that it is multihomed on many IPs:
From: Kieth Valentine [Kieth.Valentine87@assistedlivingflorida.com] Date: 28 April 2016 at 16:32 Subject: Latest invoice [Urgent]
Hello,
We are writing to you about fact, despite previous reminders, there remains an outstanding amount of USD 5883,16 in respect of the invoice(s) contained in current letter. This was due for payment on 17 April, 2016.
Our credit terms stipulate full payment within 3 days and this amount is now more than 14 days overdue. The total amount due from you is therefore USD 5883,16
If the full amount of the sum outstanding, as set above, is not paid within 7 days of the date of this email, we will begin legal action, without warning, for a court order requiring payment. We may also commence insolvency proceedings. Legal proceedings can take affect on any credit rating. The costs of legal proceedings and any other amounts which the court orders must also be paid in addition to the debt.
This email is being sent to you according to the Practice Direction on Pre-Action Conduct (the PDPAC) contained in the Civil Procedure Rules, The court has the power to sanction your continuing failure to respond.
To view the the original invoice in the attachment please use Adobe Reader.
We await your prompt reaction to this email.
Best wishes,
Kieth Valentine
Royal Bancshares of Pennsylvania, Inc. 1(265)530-0620 Ext: 300 1(265) 556-3611
The only sample I have seen of this is malformed and the attachment cannot be downloaded. However, what it should be in this case is a file Latest invoice18.zip containing a malicious script 2016INV-APR232621.pdf.js. Analysis of this obfuscated script is pending, it is likely to be either Locky ransomware or the Dridex banking trojan.
This fake financial spam comes from randomly-generated senders, for example:
From: Britt Alvarez [AlvarezBritt29994@jornalaguaverde.com.br] Date: 28 April 2016 at 11:40 Subject: FW: Invoice
Please find attached invoice #342012
Have a nice day
Attached is a ZIP file containing elements of the recipient's email address. In turn, this contains a malicious script that downloads a binary from one of many locations. The ones I have seen are: http://rabitaforex.com/pw3ksl http://tribalsnedkeren.dk/n4jca http://banketcentr.ru/v8usja http://3dphoto-rotate.ru/h4ydjs http://switchright.com/2yshda http://cafe-vintage68.ru/asad2fl http://minisupergame.ru/a9osfg
The payload looks like Locky ransomware. The DeepViz report shows it phoning home to:
There is currently a very minimalist spam run leading to Locky ransomware, for example:
From: victim@victimdomain.tld To: victim@victimdomain.tld Date: 28 April 2016 at 11:21 Subject: Scan436
The spam appears to come from the victim's own email address. There is no body text, but attached is a ZIP file with a name matching the subject, e.g.:
The downloaded executable is Locky ransomware and has a VirusTotal detection rate of 2/56. This Hybrid Analysis shows Locky quite clearly, and this DeepViz report shows it phoning home to:
From: CLAUDIA MARTINEZ [contab_admiva2@forrosideal.com] Date: 27 April 2016 at 16:22 Subject: Message from "RNP0BB8A7"
Este e-mail ha sido enviado desde "RNP0BB8A7" (Aficio MP 171).
Datos escaneo: 27.04.2016 00:31:10 (+0000) Preguntas a: soporte@victimdomain.tld
Attached is a randomly-named ZIP file (e.g. 053324_00238.zip) which contains a malicious script (e.g. 0061007_009443.js). The samples I have seen download a binary from:
This drops a version of what appears to be Locky ransomware with a detection rate of zero. I know from another source, that these additional download locations were being used for an English-language spam run this afternoon:
From: Andrew Boyd [BoydAndrew46@infraredequipamentos.com.br] Date: 27 April 2016 at 12:23 Subject: Price list
Thank you. Our latest price list is attached. For additional information, please contact your local ITT office.
The sender's name varies, the subject and body text appear to be the same. Attached is a RAR archive that combines some elements of the recipient's email address in it, e.g. CAA30_info_D241AE.rar.
Thanks to analysis from a trusted source (thank you!) it appears that there are several scripts, downloading a binary from one of the following locations: aaacollectionsjewelry.com/ur8fgs adamauto.nl/gdh46ss directenergy.tv/l2isd games-k.ru/n8eis jurang.tk/n2ysk lbbc.pt/n8wisd l-dsk.com/k3isfa mavrinscorporation.ru/hd7fs myehelpers.com/j3ykf onlinecrockpotrecipes.com/k2tspa pediatriayvacunas.com/q0wps soccerinsider.net/mys3ks warcraft-lich-king.ru/i4ospd haraccountants.co.uk/k9sjf
This downloads Locky ransomware. The executable then phones home to the following servers:
From: Jeffry Rogers [Jeffry.RogersA5@thibaultlegal.com] Date: 26 April 2016 at 12:58 Subject: Missing payments for invoices inside
Hi there!
Hope you are good.
Hope you are good. We're missing payments on our statements for the invoices included in this email. Please let us know, when the payments will be initiated.
BTW, trying to get reply from you for a long time. This is not junk, do not ignore it please.
Kind Regards
Jeffry Rogers
Henderson Group
Tel: 337-338-4607
I have only seen a single sample of this, it is likely that the company names and sender will vary. Attached is a file missing_quickbooks982.zip which contains a malicious obfuscated javascript 91610_facture_2016.js which attempts to download a component from:
This drops a file pretending to be favicon.ico which is actually an executable with a detection rate of 3/56. This Hybrid Analysis and this DeepViz report indicate network traffic to:
Following on from this post and previous ones in that series, here is a new set of IP ranges where the Angler EK seems to be clustering. In addition, I updated the list of PlusServer ranges where Angler is becoming a critical problem too.