"End of Aug. Statement Required" spam / ivanovoposel.ru

This spam leads to malware on ivanovoposel.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn
Sent: 02 April 2013 10:15
Subject: Re: FW: End of Aug. Statement Reqiured

Hallo,
as reqeusted I give you inovices issued to you per jan. (Microsoft Internet Explorer).

Regards
SHONTA SCHMITT

Alternate names:
NORIKO Richmond
Raiden MORRISON

Attachments:
Invoice_U13726798.htm
Invoice_U453718.htm
Invoice_U913687.htm

The attachment leads to malware on [donotclick]ivanovoposel.ru:8080/forum/links/column.php (report here) hosted on:
80.246.62.143 (Alfahosting GmbH, Germany)
94.103.45.34 (ANKARAHOSTING, Turkey)

Blocklist:
80.246.62.143
94.103.45.34
humaniopa.ru
hiskinta.ru
illuminataf.ru
izamalok.ru
ilianorkin.ru
hillaryklinton.ru
izjianokr.ru
ivanovoposel.ru
hohohomaza.ru

"Russian Hackers" spam / kidala.info / hack-sell.su

These spam messages appear to be promoting the underground websites kidala.info and hack-sell.su, both of which appear to be engaged in hacking, crimeware and fraud. But is there something else going on here?

Date:      Tue, 2 Apr 2013 18:07:48 +0700 [07:07:48 EDT]
Subject:      Russian hackers has you neo!

Russian hackers has you neo!
kidala dot info
or this kidala.info

==========================

Date:      Tue, 2 Apr 2013 17:17:29 +0700 [06:17:29 EDT]
Subject:      Russian hackers has you neo!

Need buy some shells?
http://kidala.info

==========================

Date:      Tue, 2 Apr 2013 16:27:24 +0700 [05:27:24 EDT]
Subject:      Russian hackers has anything you need.

World Best hack conference hereurl here: kidala.info

==========================

Date:      Tue, 2 Apr 2013 12:30:09 +0530 [03:00:09 EDT]
Subject:      World Interesting hack site here

Hi Manurl here: http://hack-sell.su

==========================

Date:      Tue, 2 Apr 2013 02:58:24 +0200 [04/01/13 20:58:24 EDT]
Subject:      Russian hackers mafia OWNS YOU!

Russian mafia has you...
hack-sell.su
or this hack-sell dot su

==========================

Subject:      Russian bad boys forum here, come join!

World baddest hackers join us hereurl here: hack-sell .su

==========================

Date:      Mon, 1 Apr 2013 16:01:59 -0400 [04/01/13 16:01:59 EDT]
Subject:      Russian hackers has anything you need.

Prime hack portal here!
hack-sell dot su
or this hack-sell dot su 

(Note that the emails may appear to be "from" your own account or someone in your own organisation. Don't worry, you have not been hacked.. forging an email address is trivially easy (described here).

But there's something unusual because these spams are being sent repeatedly to SpamCop.net email addresses, and I haven't seen them anywhere else. So why send spam emails to people who are very likely to file an abuse complaint.. unless you want the recipient to file an abuse complaint, that is.

This sort of attack pattern looks like a Joe Job, perhaps from a rival to these two underground forums. Targeting addresses that will likely file a complaint is a sort of reverse listwashing, and the pattern of repeated emails to the same address is also a Joe Job characteristic. And the thing about underground forums.. well, they don't tend to spam at all because they like to remain under the radar.

The sites don't appear to be hosting malware, if you've accidentally clicked through then there you are probably OK, although both sites look like they are down at the moment. There may well be more Joe Jobs after this one though, so don't be surprised if more rubbish floods your inbox.

Update: these subject lines are in use at the moment..
Best crack phorum so far!
Best hack conference so far!
Need buy some abuseimmune servers?
Need buy some injects?
Need buy some loads?
Need buy some socks?
Need buy some traffic?
Russian bad boys forum here, come join!
Russian hackers has anything you need.
Russian hackers has you neo!
Russian mafia has you...
Russian hackers mafia OWNS YOU!
Superior crack site so far!
World baddest hackers join us here
World Best hack website here
World Superior hack conference here

"Please respond - overdue payment" spam / INVOICE_28781731.zip

This spam comes with a malware-laden attachment called INVOICE_28781731.zip:

Date:      Fri, 29 Mar 2013 10:33:53 -0600 [12:33:53 EDT]
From:      Victor_Lindsey@key.com
Subject:      Please respond - overdue payment

Please find attached your invoices for the past months. Remit the payment by 02/04/2013
as outlines under our "Payment Terms" agreement.

Thank you for your business,

Sincerely,
Victor Lindsey

This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected
from disclosure. If the reader of this message is not the intended recipient, or an
employee or agent responsible for delivering this message to the intended recipient, you
are hereby notified that any dissemination, distribution or copying of this communication
is strictly prohibited. If you have received this communication in error, please notify
your representative immediately and delete this message from your computer. Thank you. 

Unzipping the attachment gives a malware filed called INVOICE_28781731.exe with an icon to look like a PDF file. VirusTotal detections are 16/46 and are mostly pretty generic. Comodo CAMAS reports a callback to topcancernews.com hosted on 199.19.212.149 (Vexxhost, Canada) which is also being used in this malware attack. Looking for that IP in your logs might show if any of your clients.

ADP Spam / ipiniadto.ru

This fake ADP spam leads to malware on ipiniadto.ru:

Date:      Thu, 28 Mar 2013 04:22:48 +0600 [03/27/13 18:22:48 EDT]
From:      Bebo Service [service@noreply.bebo.com]
Subject:      ADP Immediate Notification

ADP Immediate Notification
Reference #: 120327398

Thu, 28 Mar 2013 04:22:48 +0600
Dear ADP Client

Your Transfer Record(s) have been created at the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please see the following notes:

    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.


This note was sent to acting users in your system that approach ADP Netsecure.

As usual, thank you for choosing ADP as your business affiliate!

Ref: 975316004
HR. Payroll. Benefits.

The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.

The malicious landing page and recommended blocklist are the same as for this parallel attack also running today.

Facebook spam / ipiniadto.ru

The email address says Filestube. The message says Facebook. This can't be good.. and in fact this message just leads to malware on ipiniadto.ru:

Date:      Thu, 28 Mar 2013 04:58:33 +0600 [03/27/13 18:58:33 EDT]
From:      FilesTube [filestube@filestube.com]
Subject:      You have notifications pending

facebook
Hi,
Here's some activity you may have missed on Facebook.
BERTIE Goldstein has posted statuses, photos and more on Facebook.
Go To Facebook
   
See All Notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303 

The malicious payload is at [donotclick]ipiniadto.ru:8080/forum/links/column.php (report here) hosted on the same IPs as used in this attack:

66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
140.114.75.84 (TANET, Taiwan)

Blocklist:
66.249.23.64
69.46.253.241
140.114.75.84
heepsteronst.ru
hillairusbomges.ru
hillaryklinton.ru
hinakinioo.ru
hiskinta.ru
hjuiopsdbgp.ru
hohohomaza.ru
hondatravel.ru
humaniopa.ru
humarikanec.ru
ilianorkin.ru
iliminattii.ru
illuminataf.ru
ipiniadto.ru

Changelog spam / Changelog_Urgent_N992.doc.exe

This fake "changelog" spam has a malicious attachment Changelog.zip which in turn contains a malware file named Changelog_Urgent_N992.doc.exe

From:      Logistics Express [admin@ups.com]
Subject:      Re: Changelog 2011 update

Hi,
as promised changelog,

Michaud Abran 

VirusTotal detects the payload as Cridex. The malware is resistant to automated analysis tools, but Comodo CAMAS reports the creation of a file C:\Documents and Settings\User\Application Data\KB00085031.exe which is pretty distinctive.

If your email filter supports it, I strongly recommend that you configure it to block EXE-in-ZIP files as they are malicious in the vast majority of cases.

"Scan from a Xerox W. Pro" spam / ilianorkin.ru

This fake printer spam leads to malware on ilianorkin.ru:

From: officejet@[victimdomain]
Sent: 27 March 2013 08:35
Subject: Fwd: Fwd: Scan from a Xerox W. Pro #589307

A Document was sent to you using a XEROX WorkJet PRO 481864299.

SENT BY : Omar
IMAGES : 9
FORMAT (.JPEG) DOWNLOAD

The malicious payload is at [donotclick]ilianorkin.ru:8080/forum/links/column.php (report here) hosted on:

66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
140.114.75.84 (TANET, Taiwan)

Blocklist:
66.249.23.64
69.46.253.241
140.114.75.84
humaniopa.ru
hiskinta.ru
hohohomaza.ru
humarikanec.ru
hondatravel.ru
hillaryklinton.ru
hinakinioo.ru
hjuiopsdbgp.ru
hillairusbomges.ru
heepsteronst.ru
ilianorkin.ru
iliminattii.ru
illuminataf.ru

NACHA spam / mgithessia.biz

This fake NACHA spam leads to malware on mgithessia.biz:

From: "Олег.Тихонов@direct.nacha.org" [mailto:universe87@mmsrealestate.com]
Sent: 27 March 2013 03:25
Subject: Disallowed Direct Deposit payment
Importance: High

To whom it may concern:

We would like to inform you, that your latest Direct Deposit via ACH transaction (Int. No.989391803448) was cancelled,because your business software package was out of date. The details regarding this matter are available in our secure section::

Click here for more information

Please consult with your financial institution to obtain the updated version of the software.

Kind regards,

ACH Network Rules Department
NACHA - The Electronic Payments Association


11329 Sunrise Valley Drive, Suite 865
Herndon, VA 20172
Phone: 703-561-1927 Fax: 703-787-1894

The malicious payload is at [donotclick]mgithessia.biz/closest/repeating-director_concerns.php although I am having difficulty resolving that domain, however it appears to be on 46.4.150.118 (Hetzner, Germany) and the payload looks something like this.

DNS services are provided by justintvfreefall.org which is also probably malicious. Nameservers are on 5.187.4.53 (Fornex Hosting, Germany) and  5.187.4.58 (the same).

Recommended blocklist:
46.4.150.118
5.187.4.53
5.187.4.58
mgithessia.biz
justintvfreefall.org