Sponsored by..

Friday 21 November 2014

StockTips.com spam.. or Joe Job?

When I saw this StockTips.com spam, I assumed that it was a pump-and-dump scam.

From:     StockTips.com
Date:     21 November 2014 07:58
Subject:     Sign up now

StockTips

Want to make money with stocks?
Sign up at http://www.stocktips.com/ for a small monthly fee only.


© 2001-2012 StockTips.com. All Rights Reserved.

StockTips.com is operated by Amerada Corp


Here is another version of the body text:


Stock
Tips

Stock Tips Delivered to your Inbox!
Stock Tips is the #1 stock alert service... As always membership is 100% FREE!


© 2001-2012 StockTips.com. All Rights Reserved.

StockTips.com is operated by Amerada Corp



The spam was sent to an account that often receives pump-and-dump spam, and it has never signed up for anything like this. The most likely source for the email address in question is from the virus-infected computer of a contact.

So what is this? A virus? There's nothing malicious about this email. A Joe Job? Well, I've had a LOT of these, and even the most stupid email marketer tend not spam the same recipients over and over again. So perhaps it is a Joe Job.

IP address analysis

The IP addresses used to send the spam seem to be a mix of compromised PCs and servers, possibly forming part of a botnet. Legitimate companies don't use this kind of technique (obviously), but even real companies that do send spam tend to find a proper web host somewhere. This is another indicate that it might be a Joe Job.

62.143.125.49 Unitymedia, Germany Project Honeypot shows that it has only been used for spam quite recently.  It looks to be a server rented from a legitimate company, although obviously for illegitimate purposes. Possibly the server has been compromised.
188.66.76.4 Gamma Telecom, UK Project Honeypot shows just how spammy this IP is. And it has been used for stock spam in the past as well, which indicates this is not a one-off. It looks like this may be a compromised server.
80.38.8.21 Telefonica de Espana SAU, Spain Resolves as 21.Red-80-38-8.staticIP.rima-tde.net, so a static IP rather than a DSL connection. Project Honeypot says that it used to be used for spam some time ago but has been clean for a long time.
88.156.185.92 Vectra S.A., Poland Description is "Vectra Broadband Users" which indicates a DSL or cable connection. Project Honeypot has no data.
187.94.214.35 Feliz Acesse Comunicacao Ltda, Brazil No data on this, could be a domestic IP address.
79.180.189.55 Bezeq International Ltd, Israel Appears to be a domestic broadband user.
78.187.242.217 TurkTelekom, Turkey ADSL subscriber
176.94.67.198 Arcor AG, Germany Arcor / Vodafone DE business customer.

What about StockTips.com itself?

StockTips.com is a snazzy looking site..


But there is not one single piece of information that identifies who runs it, except for a reference to Amerada Corp which is also mentioned in the spam email. The WHOIS details for the domain are also hidden, so it is impossible to determine who actually owns the site.

A search for "Amerada Corp" comes up with nothing except that it is a former name of Hess Corporation who are clearly nothing to do with this.

Scrolling down the page gives a clue as to what this might be about..


A $37 signup fee? No thanks.. but it says it is a one time fee but the spam says a monthly fee. That's inconsistent. Another indicator of a Joe Job? Perhaps.

Something else caught me eye.


HAIR was the subject of a massive pump-and-dump spam run last year. After StockTips.com recommended HAIR in May of 2012, the share price basically fell off a cliff.

Hmmm.

A bit of Googling around shows a lot of negative comment about StockTips.com. There are some accusations that I have not been able to verify that they are involved in paid stock promotions for the penny stocks that they list.

The Penny Stock market has a lot of legitimate players, but there are also a lot of people who try to manipulate the market for their own gains. It is possible that StockTips.com has clashed in some way with the sort of people who run pump-and-dump scams, and they have decided to take their revenge by creating this fake spam run.

Perhaps if you have some experience with this outfit, you would like to share it in the comments? Note that all comments are owned by the people posting them.

"Duplicate Payment Received" spam from "Enid Tyson" has a malicious DOC

This fake financial spam has a malicious Word document attached.

From:     Enid Tyson
Date:     21 November 2014 15:36
Subject:     INV209473A Duplicate Payment Received

Good afternoon,

I refer to the above invoice for which we received a bacs payment of £675.74 on 10th November 14.  Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.

I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer.  If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details. 

If you have any queries regarding this matter, please do not hesitate to contact me.

I look forward to hearing from you .

Many thanks

Enid Tyson
Accounts Department
In this case the attachment is De_209473A.doc but it will probably vary with the subject name, the document itself has zero detections at VirusTotal (the Malwr report is inconclusive). This contains a malicious macro [pastebin] which connects to the following URL:

http://79.137.227.123:8080/get1/get1.php

I only have one sample at the moment, there are probably other download locations, the This then downloads a file test.exe which is saved to %TEMP%\VYEJIUNSXLI.exe.

This has a VirusTotal detection rate of just 1/55. The malware is hardened against analysis in a Sandbox so automated results are inconclusive [1] [2] [3] [4].

UPDATE:
A second version is going the rounds, with zero detections  and a download location of

http://61.221.117.205:8080/get1/get1.php

A copy of the malicious macro can be found here.

Something evil on 46.8.14.154

46.8.14.154 (Netart Group S.r.o. / Movenix International Inc) forms part of an exploit chain that starts with compromised OpenX servers and appears to end up with an exploit kit of some sort.

The following subdomains have been active on that server, they are ALL hijacked GoDaddy domains:

band.animagraphic.net
casual.animagraphics.org
emissions.usanicotinebiz.com
family.animagraphics.com
format.animagraphics.net
george.animagraphics.net
hunger.usanicotinenow.com
indictment.animagraphic.net
interest.animagraphics.org
keeps.animagraphics.net
nearest.zeezoarticles.com
overwhelmingly.ecigvv.com
revolt.animagraphics.biz
south.animagraphics.com
tests.animagraphics.net
textile.animagraphics.org
this.animagraphics.net
transplant.madvapor.com
floatingtpoint.vzeliquid.com
delivering.animagraphics.biz
week.animagraphics.biz
speaks.animagraphics.biz
automobile.animagraphics.biz
herself.vvmod.com
obtained.vzmod.com
unixtbased.ecigvv.com
transplant.madvapor.com
metric.animagraphics.com
norway.animagraphics.com
plays.nicotinegiant.com
majority.usanicotinenow.com
underground.usanicotinenow.com
o.animagraphic.net
costs.animagraphic.net
illinois.animagraphic.net
rape.animagraphics.net
usable.animagraphics.net
presents.animagraphics.net
upper.hotzonenow.com

Domains spotted so far with malicious subdomains:

animagraphics.org
usanicotinebiz.com
animagraphics.com
animagraphics.net
usanicotinenow.com
zeezoarticles.com
ecigvv.com
animagraphics.biz
madvapor.com
vzeliquid.com
vvmod.com
vzmod.com
madvapor.com
nicotinegiant.com
hotzonenow.com

The best thing to do is to block traffic to 46.8.14.154 because these domains seem to change every few minutes.

Tuesday 18 November 2014

"INCOMING FAX REPORT" spam, let's party like it's 1999

Hang on, I think I need to load some more papyrus into the facsimile machine, the 1990s are back!

From:     Incoming Fax [no-reply@efax.co.uk]
Date:     18 November 2014 13:16
Subject:     INCOMING FAX REPORT : Remote ID: 766-868-5553

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: Tue, 18 Nov 2014 14:16:58 +0100
Speed: 4222bps
Connection time: 01:09
Pages: 5
Resolution: Normal
Remote ID: 963-864-5728
Line number: 1
DTMF/DID:
Description: Internal report

We have uploaded fax report on dropbox, please use the following link to download your file:

http://mrconsultantpune.com/dropbox/document.php

********************************************************* 
This is (of course) utter bollocks, and the link in the email downloads a ZIP file document_8731_pdf.zip which in turn contains a malicious executable document_8731_pdf.exe which has a VirusTotal detection rate of 4/54. According to the Malwr report it makes these following HTTP requests:

http://108.61.229.224:13861/1811us1/HOME/0/51-SP3/0/
http://108.61.229.224:13861/1811us1/HOME/1/0/0/
http://159593.webhosting58.1blu.de/mandoc/narutus1.pmg

It also drops a file EXE1.EXE onto the target system which has a detection rate of 7/55. You can see the Malwr report for that here.

Recommended blocklist:
108.61.229.224
159593.webhosting58.1blu.de

Monday 17 November 2014

"Test message" spam plague continues..

This plague of spam "test messages" have been going on for two days now, probably sourced from "Botnet 125" which sends most of the spam I get. These messages are annoying but no harmful in themselves, I suspect they are probing mail servers for responses.

If you have a catch-all email address then you will probably see a lot of these. The targets are either completely random or have been harvested from one data breach or another as far as I can see.

From: Hollie <Laurie.17@123goa.com>
Date: 17 November 2014 19:04
Subject: Test 8657443T


test message.

Murphy became a free agent on October 15, after refusing a minor league assignment. Silva implies the last cycle has begun, believing herself to be the host.
Icelandic had been heard. American CIA contract air crews and pilots from the Alabama Air Guard.

----------

From: Bethany <Toney.b0c@tbmeca.pl>
Date: 17 November 2014 20:00
Subject: Test 513081H


test message.

George Washington's existing building was constructed in 1960 and has had many renovations since its opening. His parents ran a restaurant, but his father emigrated to South America and never returned.
From 1971 to 1975, he was head of the Semiconductor Electronics Research Department. AIDS, which marked one of the most painful parts of Blotzer's life.

----------

From: Lilly <Glenn.75@ottcommunications.com>
Date: 17 November 2014 19:18
Subject: Test 547004K


test message.

On its full length, it passes through 14 provinces of Turkey. During the night, Dudu develops a cough and in the morning he is rushed to a local hospital.
The regular season was won by the Sevilla FC Puerto Rico, which became the first team to win two regular season cups. Letter to the World Narcotic Defense Association.

----------

From: Eddie <Darwin.87@satfilm.net.pl>
Date: 17 November 2014 19:20
Subject: Test 769978N


test message.

District 16 in the upper chamber. These allegations were followed by a long investigation of the convent that caused much inner strife amongst the nuns.
The teams alternate turns on who will pick first depending on the night. Bellona's report on RTG lighthouses.

----------

From: Alba <Young.69@discoverwhitewater.org>
Date: 17 November 2014 20:18
Subject: Test 7900710A


test message.

DR B1 and DQ B1 polymorphisms in patients with coronary artery ectasia. The Thames at Brentford.
Chi world GNI percapita. Little known gems are unearthed.

----------

From: Neal <Nichole.23b@business.telecomitalia.it>
Date: 17 November 2014 19:03
Subject: Test 974193J


test message.

It is a very good preparation for further studies in law, literature and linguistics. IPSC and USPSA provide for two power factors, major and minor.
Lake Agassiz can also be seen today. He threatened her, saying that if she told anyone, he would kill her too.

----------

From: Sabrina <Ross.68a@213-5-41-251.bestgo.pl>
Date: 17 November 2014 19:17
Subject: Test 685552L


test message.

The episode starts with girls comments about Alyona's leaving. US 52 leaves the highway here.
Cwmgors Community Centre by Aberdare Blog. Darcy invites Spinner over after she finishes packing for summer camp so they can spend time together before she leaves.

----------

From: Debora <Raquel.6b8@mmgphotographystudio.com>
Date: 17 November 2014 20:22
Subject: Test 409258E


test message.

Combined with manual transmission, these cars were often used as drag racers due to their light weight. A break in his health led to his retirement in 1920.
The company milled lumber and ground flour. Improving the existing headroom under the bridge from 3.

Interfax "Failed Fax Transmission" spam comes with malicious .DOCM file

This fake fax spam comes with a malicious attachment

From:     Interfax [uk@interfax.net]
Date:     13 November 2014 20:29
Subject:     Failed Fax Transmission to 01616133969@fax.tc<00441616133969>

Transmission Results
Destination Fax:  00441616133969
Contact Name:  01616133969@fax.tc
Start Time:  2014/11/13 20:05:27
End Time:  2014/11/13 20:29:00
Transmission Result:  3220 - Communication error
Pages sent:  0
Subject:  140186561.XLS
CSID:
Duration (In Seconds):  103
Message ID:  485646629

Thank you for using Interfax
E-mail: uk@interfax.net
Home page: http://www.interfax.net


Attached is a malicious Word macro file called 00000293.docm which is currently undetected at VirusTotal. The Malwr report doesn't say much (Malwr isn't great at analysis this type of threat). Inside this .DOCM file is a malicious macro [pastebin] which attempts to download a malicious binary from http://agro2000.cba.pl/js/bin.exe

This file is downloaded to %TEMP%\MRSWZZFEYPX.exe and the binary also has zero detections at VirusTotal, and the Malwr report shows that it tries to connect to the following URL:

http://84.40.9.34/lneinn/mo%26af.lipgs%2Bfn%7El%3Fboel%3D%3F+%3Fa%20%3F~pigc_k/ci$slf%2B%20l%3D%7E

It then drops a malicious DLL onto the target system which has a rather better detection rate of 12/53

If you are a corporate email admistrator they you might consider blocking .DOCM files at the perimeter as I can see no valid reason these to be sent by email. You should definitely block 84.40.9.34 (Hostway, Belgium) as this is a known bad server that has been used in several recent attacks.

Friday 14 November 2014

Dear spammers.. alotbqobutarkwqechsdovmzfwa to you too.

Dear spammers,

Sending links out like this to drive people to your fake meds site does not work.

From: Tudu [tudu@tin.it]
Sent: 15 November 2014 03:42
To: bernie@nternet.net
Subject:

https://www.google.com/#&q=alotbqobutarkwqechsdovmzfwa&btnI=qysawyt

Even if you stuff your page with what you think are unique keywords such as:



njhzxtfnpvcqgoyuayuhvtsi
dcyfwfcuiahjrifjmpxwlshj
crulbvxcm
ejerwja
uxsiyulmkggsnwjdsujrq
srpxkpnrzupqgfwzlkqonlhhrsk
fcgfsrlomywpykhasppybuen
svsoyteg
yuezkbmsqyhpsicqslrwhvcru
scveevyvstumdryosftulvn
ocwpikfchbarwqinqdrorqiufsqp
alotbqobutarkwqechsdovmzfwa
esbmoulaj
xfshvrgaeckuzhosymxzccjplpcwg
ywifvjeikl
qfwtytmfeeqzf
aaosxoqtdcduwycjhyannf
ybyqgfztbadtwbrvwhypbdjs
xiitpggczmb
nsjgtbsklpwpldu
zvgpumys
pthnpdo
xaorfzpfgviomnbrcbasmfoormsr
gxascwhwfbjdmpcgdey
ykqlnxzt
tdcgedlfvlleuyqn
mgoozaxm
mlrbtiyhpqdwthpdiqgvwkq
uhcjljmguohkmywgylmin
coxmfzumeftmqfczjvnols
sitlhrcwzueprwfyxv
ntxaawsgvdinzyhiylfdgd
nvhwjvqwcxkovoitkxfkjbttfvr
yimclbkcepmqhiec
ebhnypr
oezgaikkapwzthzkfbrtrowmu
xyejkdaxhc
iixpkiijdgrkvqrkngpmxrfwohwvr
amgfgmedyl
cqqbjakpkepaje
hmibwgcdexsm
rjmiavdxujexjktnmtp
kvqthzutebojwnzpzvzhzbrfcb
saeelzoemfcahrlzyllnugbwze
jvnfagrti
lvdycqtozmiwphqmpa
pufhpiotdvdimlsp
cimbmhkagoxnbaxngvxyfcrtlcnxc
qbnuhspjgqawxrf
jbhbhyqkurdqgktvvs
frcmtegacgvxqshruzeakhxfzxq
dtctnrkgwwvdg
ajtnchnawtnrtnlvkxho
yjyhzpenvqmgibef
masyqrwqslofd
khcldmiexfrrruq
fvqadsbhetodzgqvywuxtowhwa
ungrhogqrabqwzrajtjpomvcirxkfp
nncneijcvcwwnyxxgowjvvm
olwdtxqggnsudjtzhyt
mhxmtdnkzseiiizpzmwjnpwtppp
sihsozhgbpybvanyfrfttlk
tkbjkzpdpyvylkon
mmgaklau
jtenvfqsybmghjcabaeetj
fmjcfqmjzstssznbgdpqwaoc
lhedbliildq
qivwguigzmcwkdpezdds
wllbbhjyrditsxzlunskabhqiedg
niazkntdfyoncfgyzq
ndwbqjjtbaoqgegxo
ahjznanwpcmcpvrnsbmtxrssavfv
gmgxhwptdawtd
abwwkrykctoaywhhwrjofirpjfss
oaxhwkodgnvmtmd
dkligclavpa
nsrquhibivbijwvgutozsh
zhwsicrhehejyxggffcsebodxtpgtf
ckrsugdugtefqlebtixupguhdcnmlx
hitsfbk
dilvysgqresg
uqeguta
xuivhwgnruxgnnyrilaxwkqnfv
xuafdrsacr
rkwxzzrmerkcyllbw
qtvzkfzcfzukksxfnrmp
xhkldsr
clavwtpoujkmtbvmrhvqn
oqszjgojzeqfijbpgvnhuqfck
cuszgksdz
czgukflpmspirlhvejmwwojwzgfhh
zafgbpytcoehgeyfhwktqcwhpk
zboupfxmctek
upmihrmqu
odtiuxpysrcozahkrvcr
rkqfakqcwjwrks
ycxkfqyydheisfwydapfrkraur
wzunqlutibfsrrgxmnlqtevs
vlsealvrrvboe
asglyylkuscbammxtkdxornguidnd
ytkcijrfpvj
qaqjzhlprprjivzyrhpvhmenkzj
ojgtgpajla
lbccjwlyrwxd
rolpcaytfijigoogljgzow
zvclpenmm
owitfuirvwlzz
mitjvykqxhkkxirgzegyiddtj
oabwjyjkrcbqxzzp
auzidohkvsthbpduiakqn
rvthoowlmrpkyvpijbidoamdaonie
rybberhm
rybuxcxehxiardpehok
xwisbggcwxopkjyhpjq
dhnebpfvpmpktdm
nuowacsgolfcqvoohuasktwnyw
ovxzcmcf
ueqakehjhnpdajljlxn
lehmezqstjowkzzykxgnvqzli
kkiwyqlemxuksrbodhnyglijwcoml
yduzveynpyktsewzrpqblaw
flnxsjbelopudwaiuxod
lbpwduzwwcoipfxqsgccnxjaoukgua
rktlnsorbpfjgjqhq
xnyezxt
nqkqmewjrjiqckuaf
vvbmbwfovoff
iogxxkdqq
ftcndjjdx
glbhxwhj
fxjocyuhsedsntabgoo
uokhkuqvwrxrpijbdxfw
 
..it isn't going to stop awkward bastards like me from hijacking your search results.

[FYI.. I did not send out the spam you clicked. Somebody sent out a spam advertising a fake meds site healthshdweb.com - I am merely hijacking their attempts to direct people to the site through superiour search engine optimisation]

Thursday 13 November 2014

"Test mesage" / "hi there" spam

Here's an unusual spam run coming through right now.. it doesn't seem to have a payload at all..

From:     Bryon Jimenez [Eunice.f2a@simaya.net.id]
Date:     13 November 2014 12:09
Subject:     Test mesage 612985B

hi there

Where the valley narrows into the cleft of the mountains, a lake lies surrounded by lush grasses. Putting another image may not reflect the article's subject logo.
Genesee and Flushing Townships where split off on March 6, 1838. French missionary and philosopher.
We did a lot of shows to 20 people in a bar who were more interested in cheap drinks than they were the band. Camps and social works.
Commented out because it's imprecise and contains false information. It is given to those who do not actively seek it. After the transfer period ended, Guerreiro apologised to Bajevic and was given another chance and is now a member of the squad.

================

From:     Ruben Randall [Josef.e9@business.telecomitalia.it]
Date:     13 November 2014 11:06
Subject:     Test mesage 3144664L

hi there

Player 1 then presses any one of the top red phrase buttons and listens to the beginning half of a phrase. Peter Murray on Debrett's website.
Asopus had twenty daughters but he provides no list. It supports a 240 MW power station.
Profilo di architettura italiana del Novecento, Marsilio, Venezia, 1999, pp. Then the teacher posts the assignment.
American born electronic music producer and DJ now residing in Berlin, Germany. The role of Cio Cio San like most other characters she has portrayed is quickly becoming a signature for her. Williamson, Garner and Musgrove Company, and the Cagli and Paoli Opera Company.

================

From:     Selma Carter [Lloyd.525@raisetherock.com]
Date:     13 November 2014 12:11
Subject:     Test mesage 0254082S

hi there

It was Federer's 3rd title of the year and the 3rd of his career. EL to see if your link meets the Wikipedia style guide.
Squadron Leader Pentland in New Guinea, c. Users can stream music directly from ZumoDrive to iPhone, iPod Touch, Android and WebOS devices.
The work received little critical attention. Saura also attempts to strengthen autobiographical themes found in the original story.
Methodists, in the area. Today it is not uncommon to find early Corgi models with such additions still intact. Edmund Sebastian Joseph van der Straeten.
In all cases "Test mesage" is spelled incorrectly and the body is just "hi there". Because there is no malicious payload (such as an attachment or link) and the message lacks the sort of trigger words that might get it blocked then there is a high probability that at least some of these will get through your spam filter/

Vodafone D2 "Ihre Festnetz-Rechnung für November 2014" spam

This fake Vodafone spam seems to be widely distributed, even though it is obviously targeted at German speakers.

From:     Vodafone D2 [2942-MU31406aBM0@kundenservice.vodafone.de] [pm2053em1]
Date:     13 November 2014 09:13
Subject:     Ihre Festnetz-Rechnung für November 2014


Ihre Kundennummer: 883286157

Sehr geehrte Damen und Herren,

anbei erhalten Sie Ihre Rechnung vom 13.11.2014.

13.11.2014_09:11:07_Rechnung_Kundennr_861570000883286157.pdf

Der Rechnungsbetrag in Höhe von 357,26 EUR wird am 23.11.2014 von Ihrem Konto abgebucht.

Ihre Rechnung ist im PDF-Format erstellt worden. Um sich Ihre Rechnung anschauen zu können, klicken Sie auf den Anhang und es öffnet sich automatisch der Acrobat Reader.


Freundliche Grüße
Ihr Vodafone Team

In this case, the link in the email goes to studiarte.com/gFlEyLcSo where it downloads a file 2014_11vodafone_onlinerechnung.zip which contains a malicious binary 2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe

This file has a very low detection rate at VirusTotal of 1/53. Most automated analysis tools [1] [2] [3]  don't say much, however the ThreatTrack report [pdf] is more details and apparently shows the malware phoning home to:

46.183.219.78 (DataClub, Latvia)
178.210.167.213 (Markum Bilisim Teknolojileri, Turkey)

Additionally, the following IPs and active domains are queried:

64.27.101.155 (Ken Thomas, US)
109.74.3.6 (GleSYS Internet Services, Sweden)
144.76.59.84 (Hetzner, Germany)
177.73.233.170 (WDI Solucoes Ltda, Brazil)
212.19.62.76 (ANW GmbH, Germany)

5.199.167.197 (Balticservers, Lithunia)
86.124.164.25 (RCS & RDS Business, Romania)
66.172.27.44 (Cyberverse, US)
141.255.165.152 (Privatelayer, Switzerland)
141.255.165.155 (Privatelayer, Switzerland)
173.193.106.11 (Softlayer, US)

qgajlouuhqbikgbd.eu
qrbroaiyynlqluld.eu
tadhvhvdhgtaxnpd.eu
bcqikqgkbiwccmpj.eu
ciomywfqliwtvjft.eu
vgekmcvfuiwrepmm.eu
xqnaiuvgctjdtnmj.eu
eaelgqsjqukhenaq.eu
tejohjlxraqmamnx.eu

Some of these DGA domains have been sinkholed, I have removed obvious ones but not that some of these IP addresses may not actually be malicious. However, if you are a network administrator there is no harm in blocking or monitoring sinkholes from your network, so I would recommend the following blocklist:

46.183.219.78
178.210.167.213

109.74.3.6

177.73.233.170

5.199.167.197
86.124.164.25
66.172.27.44
141.255.165.152
141.255.165.155
173.193.106.11

UPDATE 2014-11-20
I previously recommended blocking the following IPs which it turns out are legitimate, possible added by the malware authors to create false positives. If you have blocked them then I recommend unblocking them.

64.27.101.155
144.76.59.84
212.19.62.76

Wednesday 12 November 2014

"ADP Past Due Invoice#39911564" spam

I haven't seen ADP-themed spam for a very long time, mostly because it gets filtered into a deep dark hole that even I can't see into.

From: billing.address.updates@ADP.com [mailto:billing.address.updates@ADP.com]
Sent: 12 November 2014 16:28
Subject: ADP Past Due Invoice#39911564

 Your ADP past due invoice is ready for your review at ADP Online Invoice Management .

 If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.

 Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.

Review your ADP past due invoice here.

 Important: Please do not respond to this message. It comes from an unattended mailbox.
Most of the ones that I have seen are malformed and instead of a link they just say <html> which is one reason that it is getting through the spam filter. I have seen one live one, leading to [donotclick]www.bingemann-buerosysteme.de/services/invoice1211.php

This downloads a ZIP file invoice1211_pdf28.zip which in turn contains a malicious executable invoice1211_pdf.exe which has a VirusTotal detection rate of 6/54.

It then contacts the following URLs according to the Malwr report:
http://188.165.206.208:30083/1211uk1/HOME/0/51-SP3/0/
http://188.165.206.208:30083/1211uk1/HOME/1/0/0/
http://shahlart.com/miniuk1.pmg
http://mboaqpweuhs.com/mhninqiiifrd3ku
http://mboaqpweuhs.com/nt09kq47fv6k0

Recommended blocklist:
188.165.206.208
shahlart.com
mboaqpweuhs.com

Exchange House Fraud (Police Headquaters) / omaniex@investigtion.com spam

I got a lot of these yesterday that I've only just noticed..

From:     omaniex@investigtion.com
Subject:     Exchange House Fraud (Police Headquaters)


please note that your attension is needed in our station, as we got information on this fraud information as transactions detailed in attachment. kindly acknowledge this letter and report to our office as all report and contact details are in attachment. failure to this you will be held responsible.

Note: come along with your report as it will be needed

regards,
Police headquarters.
Investigtion dept. 

Attached is a file EXCH DETAILS PR 7777709.zip which contains two files:

7 TRANSACTION RPPP 00000123-PDF.jar
PR0JECT INVESTIGATI 011111-PDF.jar

This is some sort of malicious application written in Java (top tip - if you have Java installed on your computer, remove it. You probably don't need it). It has a VirusTotal detection rate of 7/55 and the Malwr report has some screenshots of something odd happening, but not much more data.

Tuesday 11 November 2014

"Duplicate Payment Received" spam has a malicious Word DOC attached

This email comes with a malicious Word document attached:

From:     Margery George
Date:     11 November 2014 11:50
Subject:     INV634746Q Duplicate Payment Received

Good afternoon,

I refer to the above invoice for which we received a bacs payment of £689.75 on 10th November 14.  Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.

I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer.  If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details. 

If you have any queries regarding this matter, please do not hesitate to contact me.

I look forward to hearing from you .

Many thanks 
The reference number in the subject is randomly generated and is reflected in the filename (in this case De_634746Q.doc. There are two different variants I have seen with low detection rates at VirusTotal [1] [2]. These contain two slightly different malicious macros [1] [2] [pastebin] which download a file test.exe from one of the following locations:

http://62.76.180.133/get/get.php
http://62.76.189.108/get/get.php


Note that the IPs are very close, and both belong to Clodo-Cloud / IT House Ltd in Russia. The file is then copied to %TEMP%\NYHEFLJDPZR.exe which has a VirusTotal detection rate of just 1/53.

According to the Malwr report this malicious binary then connects to the following URLs:

http://178.254.57.146/6e@YL/Pjys_~ik/XTuG_XcFEWZpmmB%2C
http://213.140.115.29/G7uwLNQS7fpyGnLHM6qt.HlqA%7Ekp/$O%20FlsN%2C9%3FnC52/wmk.ka.JM%3D%7EpuQ8.I5.4S5
http://213.140.115.29/tUoRAgJ%3DK9V/iwrsseF9oo+z%2DO%2BpbMS/ZY%2BuPUzJI6
http://213.140.115.29/uf432orqHmh&ihs/%24p2z7El%3Fe6ea%2D%2Cxg8_zbu2$zF7t%26j$73sS%2B/%2B%3F3w%2Dh%3D


It also drops a malicious DLL identified which has some generic VirusTotal detection only, but is probably Cridex or Dridex.

Recommended blocklist:
178.254.57.146
213.140.115.29
62.76.180.133
62.76.189.108


nazarethcare.com / Accounts Finchley "Bank Payments" has a malicious attachment

This fake invoice spam pretending to be from a care home in the UK comes with a malicious attachment.

From:     Accounts Finchley [accounts.finchley@nazarethcare.com]
Date:     11 November 2014 10:34
Subject:     Bank Payments

Good Afternoon,

Paying in sheet attached

Regards

Sandra Whitmore
Care Home Administrator
Nazareth House
162 East End Road
East Finchley
London
N2 ORU
Tel:02088831104
Fax:02084443691
Nazareth Care Charitable Trust- Registered Office – Larmenier Centre, 162 East End Road, London N2 ORU
Registered Charity – England & Wales – 1113666, Scotland – SCO42374
Registered Company registered in England & Wales – Company Number 05518564

The contents of this message are for the attention and use of the named addressee(s) only.  It, and any files transmitted with it, may be legally privileged or prohibited from disclosure or unauthorised use.  If you are not an intended recipient or addressee, any form of reproduction, dissemination, copying, disclosure, modification, distribution or publication is prohibited and may be unlawful and the sender will accept no liability for any action taken or omitted to be taken in reliance upon this message or its attachments.
Whilst all efforts are made to safeguard inbound and outbound e-mails, no guarantee can be given that attachments are virus-free or compatible with your systems, and we do not accept any liability in respect of viruses or computer problems experienced.
Any views expressed in this message are those of the individual sender, and do not necessarily represent those of the Sisters of Nazareth.
The domain nazarethcare.com forwards to the Sisters of Nazereth. None of these organisations is actually sending the spam, their systems have not been compromised in any way. The "from" field in an email is trivially easy to fake, as it looks like the body text may have been stolen from a compromised mailbox.

Attached is a file 2014_11_07_14_09_19.doc which comes in two versions both with low VirusTotal detection rates [1] [2]. If macros are enabled then one of two macros [1] [2] [pastebin] which then downloads a file from one of the following locations:

http://www.grafichepilia.it/js/bin.exe
http://dhanophan.co.th/js/bin.exe


This file gets copied to %TEMP%\HZLAFFLTDDO.exe and it has a VirusTotal detection rate of 3/53. The Malwr report shows it phoning home to:

http://84.40.9.34/kPm/PQ0Zs8L.Wtg%26/thtqJJSo%2B/LsB6v/

It also drops a DLL identified by VirusTotal as Dridex.

Monday 10 November 2014

"Kate Williams" / "invoice 8798556 November" spam has a malicious DOC attachment

This fake invoice spam comes with a malicious Word document attached:

From:     Kate Williams
Date:     10 November 2014 09:40
Subject:     invoice 8798556 November

Please find attached your November invoice, we now have the facility to email invoices,
but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 8798556 Account No 5608798556.
Thanks very much

The number of the invoice is random and is consistent between the subject and attachment (in this case invoice_8798556.doc). There are two different attachments, both poorly-detected at VirusTotal [1] [2] each containing a malicious macro [1] [2].

I haven't been able to analyse it myself yet, but according to this comment it downloads a binary from adeline.de/js/bin.exe which has a low VirusTotal detection rate and for which the comments from user borromini say:

#malware #dridex

Downloaded by malicious word doc with macro (f9d6161e1b26cf6faab4ac0eecde3a7d).

POST requests to

84.40.9.34:8080

87.106.84.226

Also tried 37.139.23.200:8080 and 213.143.97.18:8080  
UPDATE
The macros I mentioned download from the following locations:

http://adeline.de/js/bin.exe
http://antjegoerner.de/dokumente/bin.exe


The executable is then copied to %TEMP%\CQRZKMIESEX.exe and the ThreatTrack report [pdf] shows the malware connecting to 84.40.9.34 (Hostway, UK) where it POSTS to /hCsYvpW%26lZaTGPBgK$W%264P49%24%2BNU&Y/H%26%20@Kg
5SvSh8+unz%7Eg6f%24G on that server.

Friday 7 November 2014

"Sue Morckage" / "This email contains an invoice file attachment" spam

This fake invoice spam (all pretending to be from someone called Sue Morckage) comes with a malicious Word macro attachment.
From:     Sue Morckage
Date:     7 November 2014 13:10
Subject:     inovice 9232088 November

This email contains an invoice file attachment
The number in the subject is random, and attached is a document with the same format name (in this example invoice_9232088.doc). So far I have seen two attachments both with VT detection rates of 4/54 [1] [2] [Malwr report] which contains one of two malicious macros [1] [2] which then go and download a binary from one of the following locations:

http://ksiadzrobak.cba.pl/bin.exe
http://heartgate.de/bin.exe

This binary gets copied into %TEMP%\AKETVJIJPZE.exe and it has a VirusTotal detection rate of just 1/54, but so far automated analysis tools [1] [2] [3] are inconclusive as to what this does, however the payload is likely to be Cridex.


No, I do not want to go to your spammy disco

I've seen some odd spam in the past. I've never been spammed by an Essex disco operator before:

From:     ronnie-s-dj Professional Entertainment [info@ronnie-s-dj.co.uk]
Date:     7 November 2014 06:24
Subject:     Christmas New Year 2014! Disco & Karaoke Party Time

The spamvertised domains are karaoke-dj.co.uk and ronnie-s-dj.co.uk and the same owner also operates ronwindsor.co.uk. I'll spare him the embarrassment of listing his address.

I assume that Ron bought a cheap mailing list in good faith without realising that it was worthless, and then proceeded to spam out from his BT IP of 109.154.39.151 via Outlook.com with abandon. Unfortunately, this sort of thing gets both your web hosting suspended and internet access revoked.

Hopefully Ron has a better idea of how to run a disco than how he promotes his business. But I don't fancy a trip down to Essex to find out.

europejobdays.com and other fake job sites to avoid 7/11/14

This tip from @peterkruse about a spam run pushing fake jobs using the domain europejobdays.com caught my eye, especially the mention of the nameservers using the stemcellcounseling.net domain.

These fake job sites tend not to go alone, and a look a the other domains using  the same namesevers comes up with a whole list of related fake sites that you should also avoid:

europejobdays.com
bamfde.com
myjobuk.com
usajobid.com
jobsiniteu.com
mycareerau.com
trabajoses.com
infopracapl.com
itjobrapido.com
jobstreetmy.com
jobstreetus.com
myjobromania.com
trabajospain.com
profesiaczech.com
careersprocanada.com
subitoit.net
stemcellcounseling.net

You should be aware that the jobs on offer are actually part of some criminal enterprise such as money laundering or parcel reshipping. You can see a video that explains the parcel reshipping scam and the role of the parcel mule below.

Tuesday 4 November 2014

DUCO "Remittance Advice November" spam

This fake remittance advice spam does pretends to come from a company called DUCO (it does not) and comes with a malicious Word document.

From:     Therese Holden
Date:     4 November 2014 13:59
Subject:     Remittance Advice November FO1864232P

Dear Sir/Madam

Please find attached the details of the payment credited to your account for the sum of 1739.67 GBP

Regards,
Therese Holden
Accounts Payable Department DUCO
The attachment is a Word document with a randomly-generated filename that matches the subject of the email, it contains a malicious macro [pastebin] with a VirusTotal detection rate of 0/52 (you can see the Malwr report here, it doesn't say much). In this case the macro downloads a file from http://144.76.153.36:8080/doc/9.exe and saves it as %TEMP%\DCITXEKBIRG.exe, this is also poorly detected with a detection rate of just 3/52.

The Malwr report shows that the malware reaches out to the following URLs:

http://91.222.139.45/%26RNB2/hs3SILqWzl1%24x%20/rI9sI
http://213.140.115.29/9m0/xvgsH.jTg@/NsY/75/0b50
http://213.140.115.29/1u1mS$%3D=cVE%3DUPI%7EVe94/L&%3D%20yqWbqmNh$oP/
http://213.140.115.29/ktp6rp3vnx/x%7Egxlkki%20%2D56g%7E%20=&%3Fg%3Fx4j/r+~f6j%7Efwin%2Bcywc/%24yxvmo


It also drops a DLL on the system identified by VirusTotal as Cridex.

Recommended blocklist:
91.222.139.45
213.140.115.29
144.76.153.36