Sponsored by..

Friday, 22 May 2015

Malware spam: "Your Invoice IN278577 from Out of Eden" / "sales@outofeden.co.uk"

This fake invoice does not come from Out of Eden Ltd but is instead a simple forgery leading to malware.

From: sales@outofeden.co.uk [mailto:sales@outofeden.co.uk]
Sent: 22 May 2015 10:50
Subject: Your Invoice IN278577 from Out of Eden

Dear customer,

Thank you for your order. Please find attached a DOC copy of your invoice IN278577 from sales order S391622.

Your order was despatched on 21/05/2015.  Please check the order on delivery and report any shortage, damage or discrepancy within 48 hours from of receipt of this invoice.

If you would prefer to receive a paper invoice or if this email has been sent to the wrong address, please email sales@outofeden.co.uk or call our Customer Service Team on 017683 72939.

Kind Regards,

Customer Services
Tel: 017683 72939
Please consider the environment before printing this email

Out of Eden Ltd
The UK's Most Popular One-Stop-Shop for Hospitality Products www.outofeden.co.uk

Home Farm Buildings, Kirkby Stephen.  CA17 4AP
Tel: 01768 372 939 Fax: 01768 372 636
Email: sales@outofeden.co.uk
VAT no: 621 2326 86
Reg. in England & Wales - Co. No. 3178081
The payload is very similar to the one found in this earlier spam run, the payload appears to be the Dridex banking trojan.

My contact who sent the information about this spam run (thanks!) also sent the following data about the attachments and download locations. I haven't had time to look into it any further.

hxxp://thepattersonco[.]com/85/20.exe
Attachment: Invoice IN278577 (emailed 2015-05-21).doc
MD5: b15ac324d13f8804959a81172317a4ba

hxxp://www[dot]footingclub[.]com/85/20.exe
Attachment: Invoice IN278577 (emailed 2015-05-21).doc
MD5: d89c0affa2c1b5eff1bfe55b011bbaa8

hxxp://hci-ca[.]com/85/20.exe/85/20.exe
Attachment: Invoice IN278577 (emailed 2015-05-21).doc
MD5: 98c3a42b0d958333a4108e04f10d441f

hxxp://www.seedsindaphne[.]org/85/20.exe
Attachment: Invoice IN278577 (emailed 2015-05-21).doc
MD5: 13dfb8bd543e77453cfd0ab3d586ba77 

hxxp://mercury.powerweave[.]com/85/20.exe
Attachment: Invoice IN278577 (emailed 2015-05-21).doc
MD5: cf5a5ec18a9031f998a1a3945ca10379


Malware spam: "This is a Remitter Advice following the submission of a payment instruction by Lloyds Bank Plc." / "Australian Taxation Office"

This spam doesn't seem to know if it's from Lloyds Bank or the Australian Tax Office.

From:    Australian Taxation Office [noreply@ato.gov.au]
Date:    22 May 2015 at 10:31
Subject:    Remittance Advisory Email


Monday 22 May 2014

This is a Remitter Advice following the submission of a payment instruction by Lloyds Bank Plc.

Please review the details of the payment here.


Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 08457 21 31 41. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 2299428. Telephone: 0845 603 1637

Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.

Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.

Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.

HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC218813.

This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments. Telephone calls may be monitored or recorded.
The link in the email goes to a download page at sharefile.com and leads to an archive file FAX_82APL932UN_772.zip containing a malicious executable FAX_82APL932UN_772.scr which has a date stamp of 01/01/2002 (presumably to make it harder to spot).

This binary has a detection rate of 4/57 and automated analysis tools [1] [2] [3] [4] show that it downloads another file from:

relianceproducts.com/js/p2105us77.exe

This is renamed to csrss_15.exe and has a detection rate of 3/54. It is most likely a component of the Dyre banking trojan.

In addition, this Hybrid Analysis report shows traffic to:

209.15.197.235 (Peer 1, Canada) [relianceproducts.com]
217.23.194.237 (BLICNET, Bosnia and Herzegovina)

Recommended blocklist:
209.15.197.235
217.23.194.237

MD5s:
eb26a6c56b7f85b3257980d0c273c3cf
178a4e3dfa0feea04079592d3113bd2e


Thursday, 21 May 2015

Malware spam: "Travel order confirmation 0300202959" / "overseastravel@caravanclub.co.uk"

This fake booking confirmation (received from a contact - thanks!) does not come from the Caravan Club, but is a simple forgery with a malicious attachment:

From: overseastravel@caravanclub.co.uk [mailto:overseastravel@caravanclub.co.uk]
Sent: 21 May 2015 12:34
Subject: Travel order confirmation 0300202959    
    
Dear Customer,

Thank you for your travel order.

Please find attached your booking confirmation which you should take with you on your trip. Please note we no longer send tickets for overseas travel bookings.

Now you have booked your trip why not let The Club help you make the most of your stay?

Did you know The Club has a wide selection of travel advice on the website as well as directions to all our overseas sites?

Want some inspiration on more sites across Europe? Take a look at our Caravan Europe Guides.

If you ’’ ve not already taken out holiday insurance why not let The Club give you a Red Pennant quote online .

Yours sincerely    

The Caravan Club
The file in this case is called Travel Order Confirmation - 0300202959.doc, however the payload seems to be identical to the one found in this earlier spam run.

Malware spam: "Invoice# 2976361 Attached" / "PGOMEZ@polyair.co.uk"

So far I have only seen one sample of this. The sender and subject may vary.
From:    PGOMEZ@polyair.co.uk
Date:    21 May 2015 at 08:58
Subject:    Invoice# 2976361 Attached

Invoice Attached - please confirm..


This transmission may contain information that is privileged and strictly confidential.  If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED.

If you received this transmission in error, please contact the sender and delete the material from any computer immediately.  Thank you.

Attached is a malicious file with the no-very-imaginative name 00001.doc [VT 4/56] which contains this malicious macro [pastebin] that downloads a component from the following location:

http://mercury.powerweave.com/72/11.exe

This download site is hosted on 50.97.147.195 (Softlayer Technologies, US / Powerweave Software Services, India), although be aware that other versions of the macro may download from other locations. This file is saved as %TEMP%\ribasiml.exe and has a VirusTotal detection rate of 5/57.

Automated analysis tools [1] [2] [3] [4] show attempted communications with the following IPs:

78.24.218.186 (TheFirst-RU, Russia)
78.46.60.131 (Hetzner, Germany)
87.236.215.151 (OneGbits, Lithuania)
94.242.58.146 (Fishnet Communications, Russia)
130.208.166.65 (The University of Iceland, Iceland)
176.31.28.250 (OVH, France / Bitweb LLC, Russia)
185.12.95.191 (RuWeb, Russia)


The Malwr report shows that it drops a Dridex DLL with a detection rate of 4/57.

Recommended blocklist:
78.46.60.131
87.236.215.151
94.242.58.146
130.208.166.65
176.31.28.250
185.12.95.191
50.97.147.195

MD5s:
f5aee45ce06f6d9f9210ae28545a14c6
56305283d26e66b81afcbcb6f0e9b9b4
015cc26b738d313e5e7aba0c9114670e

Wednesday, 20 May 2015

Malware spam: "Sky.com / Statement of Account" and "Voice Mail / You have a new voice" via volafile.io

These two spam runs attempt to download malware from volafile.io. To give the folks at Volafile credit, all the malware I have seen linked to has been taken down. I suspect that the payload is the Dyre banking trojan.

From:    Sky.com [statement@sky.com]
Date:    20 May 2015 at 12:30
Subject:    Statement of account

Afternoon,

Please find the statement of account, download and view from the link below:

https://dl4.volafile.io/download/8eFEP-cNVEX-Jg/statement_00429117.zip

We look forward to receiving payment for the September invoice as this is now due for payment.

Regards,
Elliot

This email, including attachments, is private and confidential. If you have received this email in error please notify the sender and delete it from your system. Emails are not secure and may contain viruses. No liability can be accepted for viruses that might be transferred by this email or any attachment. Wilson McKendrick LLP Solicitors, Queens House, 29 St. Vincent Place, Glasgow G1 2DT Registered in Scotland No. SO303162. Members: Mark Wilson LLB Dip. NP LP Allan T. McKendrick LLB Dip. LP NP.


======================

From:    Voice Mail [Voice.Mail@victimdomain]
Date:    20 May 2015 at 12:11
Subject:    You have a new voice

You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.

* The reference number for this message is _qvs5419167125_001

The transmission length was 41
Receiving machine ID : BA9R-DUQUC-TY7T

To download and listen your voice mail please follow the link below: https://dl3.volafile.io/download/rnTYPuYNVEX6Jw/statement_00429114.zip

The link to this secure message will expire in 24 hours. If you would like to save a copy of the email or attachment, please save from the opened encrypted email. If an attachment is included, you will be given the option to download a copy of the attachment to your computer.
volafile.io is a pretty uncommon place to share files, so it might be worth looking at your traffic to see if there have been any unexpected requests to that site.


Tuesday, 19 May 2015

Malware spam: "Australian Taxation Office [noreply@ato.gov.au]" / "eFax message - 2 page(s)"

Apparently the Australian Taxation Office thinks I have a fax.. or perhaps it is something more sinister?

From:    Australian Taxation Office [noreply@ato.gov.au]
Date:    19 May 2015 at 12:48
Subject:    eFax message - 2 page(s)

Fax Message [Caller-ID: 408-342-0521]
You have received a 2 pages fax at 2015-05-19 08:18:16 AM EST.

* The reference number for this fax is
min2_did16-0884196800-3877504043-49.

View this fax using your PDF reader.

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!

Predictably, the link leads to a malicious download (this time at storage-ec2-24.sharefile.com) named Fax_00491175.zip and containing in turn a malicious executable Fax_00491175.scr.

This executable has a detection rate of 5/57. Automated analysis tools [1] [2] [3] shows that it downloads a further component from:

http://employmentrisk.com/images/1405uk77.exe

In turn, this has a detection rate of 4/57 and the Hybrid Analysis report indicates that it tries to communicate with 194.28.190.183 (AgaNet Agata Goleniewska, Poland).

Recommended blocklist:
employmentrisk.com
194.28.190.183

MD5s:
a6aa82995f4cb2bd29cdddedd3572461
b3b483c10d4f7eacd7cfa42f604968f8

Monday, 18 May 2015

Malware spam: "Your reasoning stands in need" / "Have a need in your thought" / "In want of your concern"

This fake financial spam run is similar to this one last week, and comes with a malicious attachment.

From:    Aida Curry
Date:    18 May 2015 at 11:40
Subject:    Your reasoning stands in need

Good Afternoon,
We have attained a reimbursement from you for the draft of £ 2909. Please would you secure me with a remittance, in order for me to reconcile the statement.
I will be sending you a pronouncing of outstanding invoices tomorrow, the entire quantum of outstanding is £ 5893 less the 1 draft received making a whole outstanding of £ 2984. We would very much appreciate settlement of this.
As previously mentioned we reversed to a limited company on 1st December 2014. We are desire to conclude all the old checks down, for both tax and year end reasons. We would be very grateful in your assistance in eliciting the outstanding.
If you need any application of bills please do not hesitate to contact us
Regards,
Aida Curry

-------------------

From:    Cornelius Douglas
Date:    18 May 2015 at 11:39
Subject:    Your reasoning stands in need

Good morning
Please find attached   a remittance advice, relating to a outpayment made to you.
Many thanks
Regards,
Cornelius Douglas
Seniour Finance Assistant

-------------------

From:    Jewell Shepard
Date:    18 May 2015 at 11:37
Subject:    Have a need in your thought

Please, see the attached similar of the remittance.
Please, can you remit a revised pronouncing so we can settle any outstanding balances.
Kind Regards,
Jewell Shepard
Subjects spotted so far are:
In want of your concern
Your reasoning stands in need
Have a need in your thought
Vital announcement 561335
Your advertence stands in need
Grand advert 482209
Important notice 540897
In want of your regarding
In want of your concern
Your reasoning stands in need
Wish to know your thought
Your cognizance is in great necessity
Need your consideration

There seem to be several different attachments, but for the sake of simplicity I have looked at just one. The Hybrid Analysis report shows this this is a MIME attachment that downloads and executes a script from pastebin[.]com/download.php?i=C5KGsRX3 which in turn downloads a malicious executable from  193.26.217[.]220:80/bt/get3.php (Servachok LTD, Russia) which is saved as crypted.120.exe.

This executable has a VirusTotal detection rate of 4/57. The Malwr and Hybrid Analysis reports indicates traffic to 5.63.154.228 (Reg.Ru, Russia) and also shows a dropped Dridex DLL with a detection rate of 3/57.

Recommended blocklist:
5.63.154.228
193.26.217.220

MD5s (executable):
af15ba558c07f8036612692122992aad
0074fdc06f8b1da04c71feb249e546dc

Wednesday, 13 May 2015

Malware spam: "Need your attention,''Important notice" / "Financial information" / "Important information"

This mix of spam messages come with a malicious attachment:

From:    Johnny Higgins [JohnnyHigginsyb@mail.whitsoncm.com]
To:    "it-dept@victimdomain"
Date:    13 May 2015 at 11:39
Subject:    Need your attention,''Important notice

Good Afternoon,

We have received a payment from you for the sum of £ 686.  Please would you provide me with a remittance, in order for me to reconcile the statement.

I will be sending you a statement of outstanding invoices tomorrow, the total amount outstanding is £ 1564  less the £3254.00 received making a total outstanding of £ 878.  We would very much appreciate settlement of this.

As previously mentioned, we changed entity to a limited company on 1st December 2014.  We are keen to close all the old accounts down, for both tax and year end reasons.  We would be very grateful in your assistance in settling the outstanding.

If you need any copy invoices please do not hesitate to contact us

Regards,

Johnny Higgins

--------------------------

From:    Rowena Mcconnell [RowenaMcconnellev@telemar.it]
To:    tedwards@victimdomain
Date:    13 May 2015 at 11:38
Subject:    Financial information

Good Afternoon,

Please see attached the copy of the remittance.

Please can you send a revised statement so we can settle any outstanding balances.

Kind Regards,

Rowena Mcconnell

--------------------------

From:    Jimmie Cooley [JimmieCooleyzils@fsband.net]
To:    server@victimdomain
Date:    13 May 2015 at 11:34
Subject:    Important information

Good morning

Please find attached a remittance advice, relating to a payment made to you.

Many thanks

Regards,

Jimmie Cooley
Seniour Finance Assistant

Each attachment is slightly different, but does contain the name of the recipient plus a random number (e.g. it-dept_0E78A3A5700B.doc). The payload is meant to be a multi-part MIME file, but many are corrupt and are either Base 64 encoded or are "404 Not Found" files.

If the file is correctly format, it should behave similarly to this Hybrid Analysis report, which says that it connects to several different IPs, but crucially also it downloads a malicious executable from 91.226.93[.]110/bt/get1.php (Sobis, Russia) and saves it as crypted.120.exe.

This malicious executable has a detection rate of 2/56 and the Malwr report says that it communicates with 46.36.217.227 (FastVPS, Estonia) and drops a Dridex DLL with a detection rate of 22/56.

Recommended blocklist:
46.36.217.227
91.226.93.110

MD5s:
9afecfaa484c66f2dd11f2d7e9dc4816
d2f825ecfb3d979950b9de92cbe29286



Tuesday, 12 May 2015

Malware spam: "ATTN: Outstanding Invoices - [4697E0] [April|May]"

This spam comes with random senders and reference numbers, but in all cases includes a malicious attachment:

From:    Debbie Barrett
Date:    12 May 2015 at 11:14
Subject:    ATTN: Outstanding Invoices - [4697E0] [April|May]

Dear anthony,

Kindly find attached our reminder and copy of the relevant invoices.
Looking forward to receive your prompt payment and thank you in advance.

Kind regards
The attachment name combines the recipient's email address with the fake reference number, e.g. barry_51DDAF.xls which isn't actually an Excel file at all, but a multipart MIME file. Payload Security's Hybrid Analysis tools manages to analyse it though, showing several steps in the infection chain.

First a VBScript is downloaded from pastebin[.]com/download.php?i=5K5YLjVu

Secondly, that VBScript then downloads a file from 92.63.88[.]87:8080/bt/get.php (MWTV, Latvia) which is saved as crypted.120.exe, this has a detection rate of 2/57.

This component then connects to 46.36.217.227 (FastVPS, Estonia) and according to this Malwr report drops a Dridex DLL with a detection rate of 3/56.

There are several different attachments, so far I have seen the following MD5s:
110B42E097A7677A993CF1B3B24743D8
20AEB9ECEBC26B3CDE960728E890F904
33A8CBE7B75B20B5EA1069E3E2A13D80
3973E29F7BDC7903FFCB596B10F9FD54
7019D711AE0E2FEDEE25EAA3341CFB7F
949816F4DF724E690690B3C8AD3871D4
9CDEFFBAC7B79302D309404E6F3068C4
B5C2393D44D8E0C94D04E2D159AE8776
B84D52F59AEC53B8D7FA109D256FCB6B
CA5E8A531A8EE24B15FC7B2A66502042
E99216D829C632DF24ECAD9162AF654C
EC1AD4316DBA799EF2E2440E715CD5F5
F4B5B0AE85F27E0A475BD359F5BE76E8
F666682D638FE67607DD189705844AD5

The MD5s for the malware components are:
DD7ADC5B140835DC22F6C95694F9C015
9AFECFAA484C66F2DD11F2D7E9DC4816
838F0A8D3FCBD0DDB2F8E8D236D17957

Recommended blocklist:
92.63.88.0/24
46.36.217.227


Malware spam: "Copy of your 123-reg invoice ( 123-015309323 )" / "no-reply@123-reg.co.uk"

This fake invoice is not from 123-reg, but is instead a simple forgery with a malicious attachment:

From:    no-reply@123-reg.co.uk
Date:    12 May 2015 at 10:17
Subject:    Copy of your 123-reg invoice ( 123-015309323 )

Hi,

Thank you for your order.

Please find attached to this email a receipt for this payment.

Help and support

If you are still stuck why not contact our support team? Simply visit our 123-reg Support Centre and click on the Ask a Question tab.

Thank you for choosing 123-reg.

The 123-reg team.

https://www.123-reg.co.uk
About us | Privacy policy
© Copyright 123-reg - Part of Webfusion Ltd

Webfusion Ltd is a company registered in England and Wales with company number 05306504. Our VAT number is 927 1292 22. The address of our registered office is: 5 Roundwood Avenue, Stockley Park, Uxbridge, Middlesex, UB11 1FF.
Attached is a Word document 123-reg-invoice.doc which contains a malicious macro [pastebin] and has a detection rate of 5/57. There may be several different versions of this macro, but the sample I saw downloaded a file from:

http://fosteringmemories.com/432/77.exe

..which is saved as %TEMP%\ihmail4.1.0.exe and has a VirusTotal detection rate of 5/56. Automated analysis tools [1] [2] [3] show it phoning home to the following IPs:

37.143.15.116 (Internet-Hosting Ltd, Russia)
62.152.36.90 (Host Telecom Net, Russia)
89.28.83.228 (StarNet SRL, Moldova)
185.15.185.201 (Colobridge gmbh, Germany)


According to this Malwr report it also drops a Dridex DLL with a detection rate of 3/57.

Recommended blocklist:
37.143.15.116
62.152.36.90
89.28.83.228
185.15.185.201

MD5s:
3fcc933847779784ece1c1f8ca0cb8e4
3540c517132a8a4cd543086270363447
0bb376ba96868461ffa04dd70dc41342


Monday, 11 May 2015

Malware spam: "Payment details and copy of purchase [TU9012PM-UKY]"

I haven't really had time to analyse this, so I am using the analysis of an anonymous source (thank you)..

From:    Kristina Preston [Kerry.df@qslp.com]
Date:    11 May 2015 at 12:56
Subject:    Payment details and copy of purchase [TU9012PM-UKY]

Dear [redacted]

On 08/05/15 you have requested full payment details and copy of purchase. Please refer to document in the attachment.

Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.

Kristina Preston
Brewin Dolphin
The names and references change between different versions, but in all cases there is a malicious DOC file attached. This DOC has an unusual structure in that it is a some sort of MIME file containing a mixture of HTML and Base64-encoded segments.

My source has analysed that this downloads a VBS file from Pastebin at pastebin[.]com/download.php?i=FsYQqTaj which then downloads some sort of .NET binary from 91.226.93[.]14:8080/stat/get.php (Sobis, Russia)

This binary has a detection rate of 2/56 and according to automated analysis tools [1] [2] it communicates with:

46.36.217.227 (FastVPS, Estonia)

It also drops a DLL with an MD5 of f0d261147d2696253ab893af3d125f53 and a detection rate of 1/56.

Recommended blocklist:
46.36.217.227
91.226.93.14

Wednesday, 6 May 2015

Malware spam: "Email from Transport for London" / "noresponse@cclondon.com"

This spam does not come from Transport for London, but is instead a simple forgery with a malicious attachment.

From:    noresponse@cclondon.com
Date:    6 May 2015 at 12:44
Subject:    Email from Transport for London


Dear Customer,

Please open the attached file to view correspondence from Transport for
London.

If the attachment is in DOC format you may need Microsoft Word to
read or download this attachment.


Thank you for contacting Transport for London.



Business Operations
Customer Service Representative

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com

This email and any attachment are intended solely for the addressee, are strictly confidential and may be legally privileged. If you are not the intended recipient any reading, dissemination, copying or any other use or reliance is prohibited. If you have received this email in error please notify the sender immediately by email and then permanently delete the email.
______________________________________________________________________

So far I have seen four different versions of the malicious Word document AP0210780545.doc, all with low detection rates [1] [2] [3] [4] containing various macros [1] [2] [3] [4]. These attempt to download an executable from one of the following locations:

http://jkw-sc.com/111/46.exe
http://aimclickbang.com/111/46.exe
http://www.haunersdorf.de/111/46.exe
http://volpefurniture.com/111/46.exe


This file is saved as %TEMP%\wiley5.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools [1] [2] [3] show attempted network traffic to:


62.152.36.90 (Filanco Ltd, Russia)
89.28.83.228 (StarNet, Moldova)
185.12.95.191 (RuWeb CJSC, Russia)
185.15.185.201 (Colobridge, Germany)


This Malwr report shows that it drops a Dridex DLL with a detection rate of 4/56.

Recommended blocklist:
62.152.36.90
89.28.83.228
185.12.95.191
185.15.185.201


MD5s:
412ce577521a560459cd711f5966caf4
997bafa825426a3456625983878cb5df
bab231ddf87a24dd81638483f209d238
a49a337f1189dd139499a102b635c918
079f0c588769f6961d888614cf140812
03f9a963fefffc4b97b880a8c4ad208b

Thursday, 30 April 2015

Nepal Earthquake scam: savenepal.org

I was tipped off to this site by a contact, but it appears that there are some particularly dispicable scammers who have registered a fake website called savenepal.org which is soliciting donations via PayPal.

The site largely cloned from the legitimate ActionAid site which is genuinely seeking donations to go to Nepal.

ActionAid is "Registered charity no 274467" (it says so on the bottom of the page). SaveNepal.org claims to be "Registered charity no 276187", but we can check at the UK charities commission and we can see that the charity with this number is actually an orchestra.


Clicking "Donate" on the scam site leads to PayPal. It doesn't give much of a clue about the ownership of the fake site:


The WHOIS details for the domain are hidden using WhoIsGuard. These other sites appear to be live on the same server:

com-indexhtml.link
com-indexhtml.us
grantsekit.com

Out of these, only com-indexhtml.us has a non-anonymous WHOIS entry:

Registrant ID:                               C4E83B25FA8AD52D
Registrant Name:                             Frank J. Moore
Registrant Address1:                         2441 Byers Lane
Registrant City:                             Davis
Registrant State/Province:                   CA
Registrant Postal Code:                      95616
Registrant Country:                          United States
Registrant Country Code:                     US
Registrant Phone Number:                     +1.5307574940
Registrant Email:                            uscustomerhelp@gmail.com
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C12


I'm pretty sure that those contact details are fake. Going back through historical WHOIS comes up with different contact details:

Registrant ID:                               29B0B5BBD7190398
Registrant Name:                             dinna  james
Registrant Address1:                         po box 876
Registrant City:                             dl
Registrant State/Province:                   dl
Registrant Postal Code:                      110098
Registrant Country:                          India
Registrant Country Code:                     IN
Registrant Phone Number:                     +1.918978978
Registrant Email:                            helpot80@gmail.com
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C12


Of course, these contact details could also be false and there's no definite connection to savenepal.org yet. But out of curiosity, who is helpot80@gmail.com?  Googling doesn't reveal much, but it does show a copy of a conversation in the news.admin.net-abuse.email where someone who is claiming to use this email address is complaining about spam. If we then use Google Groups to find the original newsgroup post we see it was posted from an IP of 182.68.85.242 which is a dynamic Bharti Airtel IP in India, which does at least match the country in the WHOIS details.

Another Google result is this Phishtank entry listing social2013.com/rockgrade/ which appears to be a copy of the Rock Grade Management scam site I covered way back in 2011, indicating that perhaps these two scams are related. helpot80@gmail.com was listed as the owner of social2013.com before it expired in February 2015.

This WHOISology report links the address to several domains:

beauty6k.com
social2013.com
droughty.com
auto36.us
secure2013.us

Also, 94.242.255.129 has hosted many other domains, many of which appear to be scammy.

com-13.pw
com-21.us
com-indexhtml.us
news7d.com
mynews360.com
grantsekit.com
social2013.com
secured2014.com
usgrantskit.com
savenepal.org
com-indexhtml.link
huffingtonpost.com-indexhtml.link
dear.graphics

Many of these have the helpot80@gmail.com address listed in their historical WHOIS entries.

What else can we find out?

The email address is connected with this scammy looking Facebook page allegedly giving away "free laptops"



The email address also links to this Google+ profile naming them as "N. Al.". It also links to this YouTube channel with a single video about Payoneer. These Profiles indicate that helpot80@gmail.com has an interest in affiliate marketing, an activity with a mixed reputation.

I cannot prove that helpot80@gmail.com is connected with the savenepal.org, but they probably know whoever is behind it.

Remember, if you want to donate to ANY disaster charity, it is worth checking very carefully that you are dealing with the real thing and not a bunch of scammers.

Malware spam: "Rebecca McDonnell [rebecca@gascylindersuk.co.uk]" / "Telephone order form"

This fake financial email is not from Gas Cylinders UK but is instead a simple forgery with a malicious attachment.

From:    Rebecca McDonnell [rebecca@gascylindersuk.co.uk]
Date:    30 April 2015 at 09:54
Subject:    Telephone order form

Telephone order form attached
Regards,

Rebecca McDonnell
Business Administrator

340a Haydock Lane, Haydock Industrial Estate,
St Helens, Merseyside, WA11 9UY
DDI:  01744 304338
Fax: 01942 275 312
Email: rebecca@gascylindersuk.co.uk


***** D i s c l a i m e r *****

This e-mail message is confidential and may contain legally privileged information. If you are not the intended recipient you should not read, copy, distribute, disclose or otherwise use the information in this e-mail.  Please also telephone us on 0800 622 6330, immediately and delete the message from your system. E-mail may be susceptible to data corruption, interception and unauthorised amendment, and we do not accept liability for such corruption, interception or amendment or the consequences thereof.
There is a malicious Word document attached with the name TELEPHONE PURCHASE ORDER FORM.doc which probably comes in a few different variants, but the one I saw had a VirusTotal detection rate of 4/56 and contained this malicious macro [pastebin] which downloaded a component from the following location:

http://morristonrfcmalechoir.org/143/368.exe

This is saved as %TEMP%\serebok2.exe and has detection rate of 8/56. Analysis tools are a bit patchy today, but the VirusTotal report indicates traffic to:

212.227.89.182 (1&1, Germany)

The Malwr report reported a dropped Dridex DLL with a detection rate of 3/55.


Wednesday, 29 April 2015

cnwebregistry.cn / chinaygregistry.com scam and "Huayu Ltd"

This spam email is actually part of a long-running Chinese scam.

From:    Jim Bing [jim.bing@cnwebregistry.cn]
Date:    29 April 2015 at 14:27
Subject:    Re:"[redacted]"

Dear CEO,

(If you are not the person who is in charge of this, please forward this to your CEO, because this is urgent, Thanks)

We are a Network Service Company which is the domain name registration center in Shanghai, China.
We received an application from Huayu Ltd on April 27, 2015. They want to register " [redacted] " as their Internet Keyword and " [redacted] .cn "、" [redacted] .com.cn " 、" [redacted] .net.cn "、" [redacted] .org.cn " domain names etc.., they are in China domain names. But after checking it, we find " [redacted] " conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?

Best Regards,

Jim
General Manager
Shanghai Office (Head Office)
3008, Jiulong Building, No. 836 Nandan Road,
Xuhui District, Shanghai 200070, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697
Web: www.cnwebregistry.cn
Whoever "Huayu Ltd" are is irrelevant, as they aren't actually interested in registering these domains, even if they exist. Instead, this is an attempt by a rogue Chinese domain registrar to get you to buy overpriced and worthless domains.

In this case the spam mentions the domain cnwebregistry.cn, but chinaygregistry.com is also on the same server and will be similarly fraudulent.

This video I made a while ago explains the scam in more detail:



Tuesday, 28 April 2015

Malware spam: "INVOICE PD Will Comm" / "richard will [contactwill@hotmail.com]"

This malicious spam does not come from Will Communications but is instead a simple forgery with a malicious attachment.

From:    richard will [contactwill@hotmail.com]
Date:    28 April 2015 at 09:05
Subject:    INVOICE PD Will Comm

Thank-you for your payment!

Richard Will

Will Communications, Inc.
richard@willcommunications.com

The samples that I have seen are all corrupted, and the malicious attachment just appears as a jumble of Base 64 encoded text, although this may not be the case with every email. After extraction, the malicious Word document has a detection rate of 4/56 and it contains this malicious macro [pastebin]. In this case, the macro downloads a component from:

http://massachusettsselfstorage.com/62/927.exe

..this is saved as %TEMP%\johan3.2.b.exe and has a detection rate of 3/53. There may well be other documents that download from other locations, but the binary will be the same in all cases.

Automated analysis tools [1] [2] [3] show that it attempts to communicate with the following IP:

185.12.95.191 (RuWeb CJSC, Russia)

According the the Malwr report it drops a malicious Dridex DLL with a detection rate of 2/56.

MD5s:
67a5facf854a72382a8d8e308027baa3
f998950151c5922cd2c338290e78a420
59f03febb357e343f33937b9925b8846

Monday, 27 April 2015

Malware spam: "[1138593] Booking.com Invoice 01/03/2015 - 31/03/2015" / "invoice@booking.com"

This fake invoice email does not come from Booking.com but is a simple forgery with a malicious attachment.
From:    invoice@booking.com
Date:    27 April 2015 at 08:55
Subject:    [1138593] Booking.com Invoice 01/03/2015 - 31/03/2015

Dear customer,

Herewith you receive the electronic invoice regarding the commissions for the period from 01/03/2015 to 31/03/2015.

If you have any questions, please contact our Credit Control Department at telephone number
+44 (0)208 612 8210 (e-mail:  ).

Thank you for working with Booking.com.
The only sample I have seen of this is badly mangled and required some work to extract and decode the attachment invoice-1501383360.doc which has a VirusTotal detection rate of 3/57. This contains a malicious macro [pastebin] which downloads a component from the following location:

http://voipconcerns.com/62/927.exe

There are probably other slightly different versions of the Word document that download from different locations, however the binary will be the same. This malicious executable is saved as %TEMP%\zigma2.5.exe and has a VirusTotal detection rate of 2/57.

Automated analysis tools [1] [2] [3] show an attempted network connection to:

185.12.95.191 (RuWeb CJSC, Russia)

According to the Malwr report it also drops a malicious Dridex DLL with a detection rate of 4/57.

MD5s:
6aa26f04b22b284dda148ce317f53de8
a92cdc17c74b1a008d3c239006fdf042
1c90c45e0bdfb91a8a73c1f6d1e738fe

Friday, 24 April 2015

Malware spam: "Pidwell, Nigel [nigel.pidwell@ssecontracting.com]" / "Western Order"

The spam email is not from SSE Contracting, but is instead a simple forgery with a malicious attachment:
From:    Pidwell, Nigel [nigel.pidwell@ssecontracting.com]
Date:    24 April 2015 at 08:47
Subject:    Western Order

Regards

Nigel Pidwell
Administrator
SSE Contracting Limited
T: +44 (0) 1637 889506
E: nigel.pidwell@ssecontracting.com
Unit 8, Hurling Way,
St Columb Major Business Park, St Columb Major, Cornwall
TR9 6SX
www.sseenterprise.co.uk



So far I have only seen one sample Western Order.doc [VT 4/57] which contains a malicious macro [pastebin] which is functionally identical to the one used in this spam run which was also happening this morning.

Malware spam: "Colin Fox [colin@nofss.co.uk]" / "Invoice 519658"

This spam is not from Norwich Office Supplies but is instead a simple forgery. They have not been hacked (even if their website says they have).
From:    Colin Fox [colin@nofss.co.uk]
Date:    24 April 2015 at 09:40
Subject:    Invoice 519658

Please find Invoice 519658     attached 
The attachment is Sales Invoice 519658.pdf [VT 2/57] This spam drops the Dridex banking trojan, but unlike other recent runs the attachment is a PDF file rather than an Office document. In fact, the PDF file contains a script that generates and drops a Word document named 6.doc [Malwr report, Payload Security report] [VT 4/55] which in turn contains a malicious macro that looks like this [pastebin].

There may be different versions of the macro, but in this case it downloads a component from:

http://bepminhchi.com/83/61.exe

..which is saved as %TEMP%\pierre6.exe. This binary has a detection rate of 4/57 and automated analysis tools [1] [2] [3] show an attempted network connection to:

185.12.95.191 (RuWeb CJSC, Russia)
149.154.64.70 (TheFirst-RU, Russia)
78.24.218.186 (TheFirst-RU, Russia)
89.28.83.228 (StarNet SRL, Moldova)


In addition, the Malwr report says that it drops a Dridex DLL with a detection rate of 4/57.

Recommended blocklist:
185.12.95.191
149.154.64.70
78.24.218.186
89.28.83.228

Sample MD5s:
da26ed1b6fe69d15a400b3bc70001918
b37ea697df790121e4dda35d8ba172c3
0ea69ef635257be03043a3f70f013475
29471c1aabae10d205f474a3299486ec


Thursday, 23 April 2015

Malware spam: "Refund on order 204-2374256-3787503" / "Amazon.co.uk [payments-messages@amazon.co.uk]"

This fake Amazon spam comes with a malicious attachment:

From:    Amazon.co.uk [payments-messages@amazon.co.uk]
Reply-To:    "Amazon.co.uk" [payments-messages@amazon.co.uk]
Date:    23 April 2015 at 09:58
Subject:    Refund on order 204-2374256-3787503

Dear Customer,

Greetings from Amazon.co.uk.

We are writing to confirm that we are processing your refund in the amount of £4.89 for your
Order 204-2374256-3787503.

This amount has been credited to your payment method and will appear when your bank has processed it.

This refund is for the following item(s):

Item: Beautiful Bitch
Quantity: 1
ASIN: 1476754144
Reason for refund: Customer return

The following is the breakdown of your refund for this item:

Item Refund: £4.89

Your refund is being credited as follows:

GC: £4.89

These amounts will be returned to your payment methods within 5 business days.

The amount credited to your Gift Card balance should be automatically applied to your next eligible
order on our website.

Have an issue with your refund, or a question about our refund policy?
Visit our Help section for more information:

http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=1161010

Please note: The credit note for this transaction is attached to this e-mail and to open, you will
need Adobe Reader. If you do not have an Adobe Reader, please visit the following link to download
it: http://get.adobe.com/reader/

This credit note is the detailed breakdown of the refund showing the item(s), delivery costs and
associated VAT for each item. This credit note is largely applicable to business customers who
should retain it for accounting purposes. It’s not possible to redeem or use the credit
note number from this credit note towards an order. Visit our Help pages for more information on
refunds.

Thank you for shopping at Amazon.co.uk.

Sincerely,

Amazon.co.uk Customer Service
http://www.amazon.co.uk


Note: this e-mail was sent from a notification-only e-mail address that cannot accept incoming e-mail.
Please do not reply to this message.

An advanced electronic signature has been attached to this electronic credit note. To add the certificate
as a trusted certificate, please follow these instructions:
1. Click on the 'Signature Panel' in the upper right corner
2. Expand the drop-down in the newly opened Signatures menu, expand the 'Signature Details' drop-down and
   click 'Certificate Details'
3. In the Certificate Viewer box click on the 'Trust' tab, click 'Add To Trusted Certificates' and then
   click OK
4. In the Import Contact Settings box, ensure that 'Use this certificate as a trusted root' is selected,
   click OK, and then click OK again


Attached is a file 204-2374256-3787503-credit-note.doc which probably comes in several versions, however the one I analysed had a detection rate of 4/57 and contained this malicious macro [pastebin] which downloads a component from:

http://qube.co.il/42/335.exe

..which is saved as %TEMP%\pierre3.exe and which currently has a detection rate of 3/42 (42?). Automated analysis tools [1] [2] [3] [4] indicate that it calls out to the following IPs:

185.12.95.191 (RuWeb CJSC, Russia)
87.236.215.151 (OneGbits, Lithuania)
94.23.171.198 (OVH, Czech Republic)
185.35.77.250 (Corgi Tech, UK)
149.154.64.70 (TheFirst-RU, Russia)

The Malwr report says that it drops a Dridex DLL which currently has a detection rate of 17/56.

Recommended blocklist:
185.12.95.191
87.236.215.151
94.23.171.198
185.35.77.250
149.154.64.70

MD5s:
e52a8d15ee08d7f8b4efca1b16daaefb
57b54e248588af284871c2076f05651c
ca5c5b79ce16d888ba2a6747b9d033d3