Sponsored by..

Tuesday, 25 August 2015

Malware spam: "UPDATE_VACATIONS_SCHEDULE_09_2015.pdf" via sugarsync.com

 This fake Dropbox email leads to malware, hosted on the sharing service sugarsync.com.

From:    June Abel via Dropbox [no-reply@dropbox.com]
Date:    25 August 2015 at 12:59
Subject:    June Abel shared "UPDATE_VACATIONS_SCHEDULE_09_2015.pdf" with you

June used Dropbox to share a file with you!

Click here to download.

© 2015 Dropbox
I have seen three different samples with different download location:


In each case, the binary downloaded is identical and has a VirusTotal detection rate of 3/55. Analysis is pending, but the payload appears to be the Dyre banking trojan.

The Hybrid Analysis report shows traffic to (Cobranet, Nigeria) which I recommend you block.

Malware spam: "Visa Card Aug 2015" / "david@ellesmere.engineering"

This fake financial spam does not come from Ellesemere Engineering but is in fact a simple forgery with a malicious attachment.

From     [david@ellesmere.engineering]
To     "'Sharon Howarth'" [sharon@ellesmere.engineering]
Date     Tue, 25 Aug 2015 09:52:47 +0200
Subject     Visa Card Aug 2015

Visa Card payments this month

This email has been checked for viruses by Avast antivirus software.

Attached is a document Visa Card Aug 2015.docm which I have seen in three different versions, containing one of three malicious macros [1] [2] [3] that then attempt to download a malicious binary from one of the following locations:


This executable has a detection rate of just 1/55 and the Malwr report shows network traffic to: (Hostpro Ltd, Ukraine)

I strongly recommend that you block that IP address. The payload to this is almost definitely the Dridex banking trojan.


Monday, 24 August 2015

Popular German wesite dwdl.de hacked, serving malware via

Popular German media website dwdl.de has been hacked and is serving up malware, according to this URLquery report.

URLquery's IDS function detects what looks like the RIG Exploit kit:

The exploit is in injected code pointing to a server at (Marosnet Telecommunication Company, Russia) which in the example is using filter.michiganbeerhops.com which is a hijacked GoDaddy domain.

The exploit only appears to work if the site is accessed via a search engine, which looks like a classic .htaccess hack. URLquery's script relationship chart shows this in action:

VirusTotal gives an overview of other malicious domains on this server. It indicates that the following domains have been hijacked and malicious subdomains set up:


Malware spam: "Message from scanner" / "scanner.coventrycitycentre@brianholt.co.uk"

I don't have the body text for this particular message, but I can tell you this is not from Brian Holt (a property agent in Coventry, UK) but is instead a simple forgery with a malicious attachment.

Subject     Message from scanner
From     scanner.coventrycitycentre@brianholt.co.uk
X-Mailer     KONICA MINOLTA bizhub C360
Date     Wed, 12 Aug 2015 08:19:28 +0000
Message-Id     [55CB0190.015.00206B68D2CD.scanner.coventrycitycentre@brianholt.co.uk]
MIME-Version     1.0
Content-Type     multipart/mixed; boundary="KONICA_MINOLTA_Internet_Fax_Boundary"
Content-Transfer-Encoding     7bit

To show the level of detail the bad guys go to, they have even included extra mail headers (usually hidden) to attempt to identify the sender as a Konica MFD. It's a strange thing to do, considering that anyone skilled enough to examine the mail headers should also notice the malicious executable Sscanner15081208190.exe embedded into the attachment Sscanner15081208190.zip . This executable has a detection rate of just 5/54.

The Hybrid Analysis report shows the malware POSTing to:


.SU (Soviet Union) domains are almost always bad news. If you can block them on your web filter then I recommend that you do so. This particular site is hosted on (RTComm-Sibir, Russia). The  network range of does seem to contain some legitimate Russian-language sites, but you might want to block the whole range to be on the safe side.

The payload is unknown, but typically malware like this will drop either the Dyre banking trojan or some sort of ransomware.

Friday, 21 August 2015

What the hell is event.swupdateservice.net?

So.. I saw some mysterious outbound traffic to event.swupdateservice.net/event ( / Microsoft, US). Googling around for the domain came up with some references to malware, but nothing very conclusive.

The WHOIS details for the domain are anonymised (never a good sign), and the IP address is also used by event.ezwebservices.net which uses similarly hidden details. Team Cymru have an analysis of what is being phoned home to this mystery server, and I found an existing Malwr analysis referencing the alternate domain.

I eventually found the mystery executable in C:\Users\[username]\AppData\Local\SoftUpdate\SoftUpdate.exe on the afflicted machine. Various analysis tools confirm that it generates this traffic [1] [2] [3].

The binary itself does not identify its creator. I found various references (such as in this report) linking this software and the domains to Emaze.com (a "free" presentation tool) and a look at the users traffic logs indicates that they visited this site, referred to it by VisualBee.com which is some sort of https://www.hybrid-analysis.com/sample/f479a3779efb6591c96355a55e910f6a20586f3101cd923128c764810604092f?environmentId=1PowerPoint plugin.

Neither domain identifies itself through the WHOIS details, not can I find any contact details on either site. A look through the historical WHOIS for VisualBee.com gives:

   Administrative Contact:
      info, info  info@visualbee.com
      visual software systems LTD.
      6 Hanechoshet st.
      Tel-Aviv, Israel 69710

And for Emaze.com:

   Administrative Contact:
      Rubenstein, Steven  rubenstein.steven@gmail.com
      504 224th PL SE
      Bothell, Washington 98021
      United States

This Crunchbase profile for Shai Schwartz links the two companies.

I don't like sharing data with commercial operations who are not prepared to fully reveal their identity, and I personally recommend blocking traffic to:


Thursday, 20 August 2015

Malware spam: "Email from Transport for London" / "noresponse@cclondon.com"

This fake TfL spam comes with a malicious attachment:

From     "Transport for London" [noresponse@cclondon.com]
Date     Thu, 20 Aug 2015 17:04:26 +0530
Subject     Email from Transport for London

Dear Customer

Please open the attached file(7887775.zip) to view correspondence from Transport
for London.

If the attachment is in PDF format you may need Adobe Acrobat Reader to read or download
this attachment. If you require Adobe Acrobat Reader this is available at no cost
from the Adobe Website www.adobe.com

Thank you for contacting Transport for London.

Business Operations
Customer Service Representative

This email has been scanned by the Symantec Email Security.cloud service.

This email and any attachment are intended solely for the addressee, are strictly
confidential and may be legally privileged. If you are not the intended recipient
any reading, dissemination, copying or any other use or reliance is prohibited. If
you have received this email in error please notify the sender immediately by email
and then permanently delete the email.
The attachment name seems to vary, in the samples I have seen there is 7887775.zip, 0174458.zip and rather oddly [?var=partorderb].zip. From these I have recovered two malicious samples with a VirusTotal detection rate of 6/56 and 1/57. These two Hybrid Analysis reports [1] [2]  show the malware connecting to various malicious and non-malicious IPs, but in particular we see a traffic pattern like this:

These GET requests are a characteristic of Upatre/Dyre. is allocated to C2NET, Czech Republic and I strongly recommend that you block it.

Those Hybrid Analysis reports also identify some botnet IPs and dropped files, which I suggest that you study if interested.

Search the Ashley Madison hacked leaked database (enter name or email)

Search the Ashley Madison hacked leaked database (enter name or email)
E-mail of the cheater: or
First name: Last Name: fuzzy

Nothing found
The profile_relationship column specifies the relationship status.
So, if it's a "2", it's a cheating man. The pref_opento items, which is a list of sexual fantasies users are open to:
1: "Threesome"
3: "Being Dominant/Master"
4: "Being Submissive/Slave"
6: "Bondage"
7: "Conventional Sex"
11: "Fetishes"
14: "Nothing Kinky"
15: "One-Night Stands"
17: "Role Playing"
18: "Sex Talk"
19: "Spanking"
21: "Experimenting with Tantric Sex"
22: "Transvestitism"
23: "Experimenting with Sex Toys"
23: "Exploring with Sex Toys"
26: "Aggressiveness"
27: "Blindfolding"
28: "Bubble Bath for 2"
29: "Cuddling & Hugging"
30: "Curious - Domination"
31: "Curious - Submission"
32: "Dressing Up/Lingerie"
33: "Erotic Movies"
34: "Erotic Tickling"
36: "Extended Foreplay/Teasing"
37: "Gentleness"
38: "Good With Your Hands"
39: "Kissing"
40: "Light Kinky Fun"
41: "Likes to be Watched/Exhibitionism"
42: "Likes to Give Oral Sex"
43: "Likes to Receive Oral Sex"
44: "Likes to Go Slow"
45: "Lots of Stamina"
46: "Open to Experimentation"
48: "Sensual Massage"
49: "Sharing Fantasies"
50: "Someone I Can Teach"
51: "Someone Who Can Teach Me"
52: "You Like to Cross Dress"
They also have a "looking for" section. Those numbers are:
1: "A Don Juan"
4: "Sense of Humor"
6: "Aggressive/Take Charge Nature"
9: "Average Sex Drive"
10: "Confidence"
11: "Discretion/Secrecy"
12: "Dislikes Routine"
14: "Good Personal Hygiene"
16: "Has a Secret Love Nest"
17: "High Sex Drive"
18: "Imagination"
19: "Likes Routine"
30: "A Professional/Well Groomed"
31: "Stylish/Classy"
32: "Casual Jeans/T-shirt Type"
33: "Tattoos"
34: "Body Piercing"
35: "BBW"
36: "Full Size Body"
37: "Muscular/Fit Body"
38: "Petite Figure"
39: "Slim to Average Body"
40: "Tall Height"
41: "Short Height"
42: "Long Hair"
43: "Short Hair"
44: "Girl Next Door"
45: "Naughty Girl"
46: "Bad Boy"
47: "Boy Next Door"
48: "Creative and Adventurous"
49: "Relaxed and Easy Going"
50: "Hopeless Romantic"
51: "A Father Figure"
52: "Not Possessive"
53: "A Good Listener"
54: "Good Communicator"
55: "Disease Free"
56: "Drug Free"
57: "Casual/Social Drinker"
58: "Seeking a Sugar Baby"
59: "Seeking a Sugar Daddy"
60: "Natural Breasts"
61: "Facial Hair"
62: "Tall, Dark and Handsome"

Wednesday, 19 August 2015

Malware spam: "SHIPMENT NOTICE" / "serviceuk@safilo.com"

This fake financial spam does not come from Safilo UK Ltd but is instead a simple forgery with a malicious attachment:

From     serviceuk@safilo.com
Date     Wed, 19 Aug 2015 17:47:46 +0700

Dear Customer,

 please be informed that on Aug 19, 2015 we sent you the following items:

1    pieces from order 1I5005729
1    pieces from order 1I5005841


To find out all details concerning your orders and shipments open the file here attached
or go to the Order status page of the site.

Safilo UK Ltd.
Attached is a file ship20150817.zip which in turn contains a malicious executable ship20150817.exe which has a detection rate of 4/56. According to these automated analysis tools [1] [2] the malware attempts to phone home to:


.SU (Soviet Union) domains are bad news in general, if you can I would recommend blocking traffic to all of them. This domain is hosted on the following IPs: (Zenon N.S.P., Russia) (Bashrtcomm LIR, Russia) (Bashrtcomm LIR, Russia)

You might want to consider blocking:

This though is the recommended minimum blocklist:

I am not entirely certain of the payload as the download locations seem to be unreliable.

Monday, 10 August 2015

Malware spam: "Gabriel Daniel" / "Resume" / "Gabriel_Daniel_resume.doc"

This fake résumé comes with a malicious attachment:

From:    alvertakarpinskykcc@yahoo.com
Date:    10 August 2015 at 19:40
Subject:    Resume
Signed by:    yahoo.com

Hi my name is Gabriel Daniel doc is my resume
I would appreciate your immediate attention to this matter

Kind regards

Gabriel Daniel
Interestingly, the email does really appear to come via Yahoo!'s mail servers. Attached is a document Gabriel_Daniel_resume.doc which contains this malicious macro [pastebin] which has a VirusTotal detection rate of 2/56.

As far as I can tell, it appears to download a disguised JPG file from (Eurobyte LLC, Russia) which appears to be an encrypted executable. I wasn't able to decode all of the macro, however this Hybrid Analysis report shows clearly what is going on..

So, it is pretty clear that the payload here is Cryptowall (which encrypts all the victim's files). The same Hybrid Analysis report shows that it POSTS information to:


It also directs the visitor to various personalised ransom pages hosted on (Agava, Russia).

Recommended blocklist:


Malware spam: "Premium Charging MI Package for Merchant 17143013" / "GEMS@worldpay.com"

This fake financial email does not come from Worldpay but is instead a simple forgery with a malicious attachment:

From:    GEMS@worldpay.com
Date:    10 August 2015 at 10:17
Subject:    Premium Charging MI Package for Merchant 17143013

*** Please do not reply to this Message *** Attached is the Management Information to support your Monthly Invoice. Should you have any queries, please refer to your usual helpdesk number.

So far I have seen only one sample with named 17143013 01.docm. Despite having a detection rate of 5/55 at VirusTotal, the document is malformed and is Base 64 encoded. When manually decoded it still has a detection rate of 5/55 and it contains this malicious macro [pastebin] which then downloads a component from:


This is exactly the same payload as seen in this spam run also from this morning.

Malware spam: "Your order 10232 from Create Blinds Online: Paid" / "orders@createblindsonline.co.uk"

This fake invoice does not come from Create Blinds Online but is instead a simple forgery with a malicious attachment.

From:    orders@createblindsonline.co.uk
Reply-To:    orders@createblindsonline.co.uk
Date:    10 August 2015 at 07:59
Subject:    Your order 10232 from Create Blinds Online: Paid

We would like to thank you for your recent order.

Order Status updated on: 10/08/2015
Your Customer ID: 1761
Your Order ID: 10232
Invoice Number: 10232
Delivery Note:

We received your order and payment on Aug/102015

Your order details are attached:

Kind regards
Create Blinds Online Team

This electronic message contains information from  Create Blinds Online which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email (to the numbers or address above) immediately.

Attached is a file invoice-10232.doc which comes in at least two different variants [1] [2] containing a macro that looks like this [pastebin]. This attempts to download a malicious binary from one of the following locations:


The VirusTotal detection rate for this is 3/55. The Malwr report and Hybrid Analysis reports show that it generates traffic to (Hetzner, Germany). The payload is almost definitely the Dridex banking trojan.


Friday, 7 August 2015

Malware spam: "Sleek Granite Computer" / "saepe 422-091-2468.zip" / "nulla.exe"

What the heck is a Sleek Granite Computer? As clickbait it is kind of weird.. but perhaps interesting enough to get people to click on the malicious attachment is comes with.

From:    mafecoandohob [mafecoandohob@bawhhorur.com]
To:    Karley Pollich
Date:    7 August 2015 at 13:17
Subject:    Sleek Granite Computer

Good day!

If you remember earlier this week we discussed with You our new project which we intend to start next month.
For Your kind review we enclose here the business plan and all the related documents.
Please send us an e-mail in case You have any comments or proposed changes.
According to our calculations the project will start bringing profit in 6 months.
Thanks in advance.

Karley Pollich
Dynamic Response Strategist
Pagac and Sons
Toys, Games & Jewelery
The only sample of this I had was malformed and the attachment wasn't attached properly. However, if properly formatted it would have been named saepe 422-091-2468.zip and it contains a malicious executable named nulla.exe.

This has a VirusTotal detection rate of 4/55 with Sophos identifying it as a variant of Upatre. The Hybrid Analysis report shows a typical Upatre / Dyre traffic pattern to:

This IP address belongs to Online SAS in France who seem to have hosted quite a bit of this stuff recently, the hostname identifies it as belonging to poneytelecom.eu. Traffic is also spotted to: (Triolan / Content Delivery Network, Ukraine) (LTnet, Czech Republic)

There is also non-malicious traffic to icanhazip.com to identify the IP address of the infected machine. This is worth monitoring though as it is a potential indicator of compromise. The payload is almost definitely the Dyre banking trojan.

Recommended blocklist:


Thursday, 6 August 2015

Malware spam: "Voice message from 07773403290" / ""tel: 07773403290" [non-mail-user@voiplicity.co.uk]"

This fake voicemail spam comes with a malicious attachment:

From     "tel: 07773403290" [non-mail-user@voiplicity.co.uk]
Date     Thu, 06 Aug 2015 11:54:43 +0300
Subject     RE: Voice message from 07773403290
I was not able to determine if there was any body text from my sample collector, however each sample had an identical attachment message_01983527496.wav.zip which contains a malicious executable message_01983527496.exe. This has a VirusTotal detection rate of 5/55 and automated analysis tools [1] [2] show it POSTing to:


This is hosted on a RU-Center IP address of in Russia. Furthmore, a malicious executable is downloaded from the following locations:


In turn, this has a detection rate of 2/55 and automated analysis of this [1] [2] show that it phones home to (Web Hosting Solutions, Estonia).

The payload is unclear at this point, but you can guarantee that it will be nothing good.

Recommended blocklist:


Spam: "The Funding Institute" / thefundinginstitute.org and fundinginstitute.org, Patchree Patchrint and Anthony Christopher Jones (yet again)

"The Funding Institute" (using the domains thefundinginstitute.org and fundinginstitute.org) is yet another highly questionable site set up by Patchree (Patty) Patchrint and Anthony Christopher Jones of California, who I have covered on this blog several times before (tip: the comments for many of those posts are very interesting if you are doing research).

A tip from "Jimmy" in this post reveals a new name for the scheme, simply called "The Funding Institute" and although apparently using the domain thefundinginstitute.org, it is actually hosted on a crappy free website at fundinginstitute.myfreesites.net.

I haven't personally received spam about this one, but it is not hard to find examples [1] [2] [3] [4] and the one from discard.email is the most interesting (I copy it here in its entirety):

The Funding Institute is offering the Grant Funding and  Proposal Writing Essentials Course
 to be held in New York, New York on the campus of The State University of New York from July 15-17, 2015. Interested development professionals, researchers, faculty, and graduate students should register as soon as possible, as demand means that seats will fill up quickly. Please forward, post, and distribute this e-mail to your colleagues and listservs.

All participants will receive certification in professional Grant writing. For more information call (213) 347-4899 or visit The Funding Institute website.

Please find the program description below:

The Funding Institute's
Grant Funding and  Proposal Writing Essentials Course will be held in New York, New Yorkon the campus of the The State University of New YorkJuly 15-17, 20158:00 AM - 5:00 PM
 The Grant Funding and  Proposal Writing Essentials Course
 is an intensive and detailed introduction to the process, structure, and skill of professional proposal writing. This course is characterized by its ability to act as a thorough overview, introduction, and refresher at the same time. In this course, participants will learn the entire proposal writing process and complete the course with a solid understanding of not only the ideal proposal structure, but a holistic understanding of the essential factors, which determine whether or not a
program gets funded. Through the completion of interactive exercises and activities, participants will complement expert lectures by putting proven techniques into practice. This course is designed for both the beginner looking for a thorough introduction and the intermediate looking for a refresher course that will strengthen their grant acquisition skills. This class, simply put, is designed to get results by creating professional grant proposal writers.

Participants will become competent program planning and proposal writing professionals after successful completion of the Grant Funding and  Proposal Writing Essentials Course.  In three active and informative days, students will be exposed to the art of successful grant writing practices, and led on a journey that ends with a masterful grant proposal.

The Grant Funding and  Proposal Writing Essentials Course consists of three (3) subject areas that will be completed during the three-day workshop.

(1) Fundamentals of Program Planning

This session is centered on the belief that "it's all about the program." This intensive session will teach professional program development essentials and program evaluation. While most grant writing "workshops" treat program development and evaluation as separate from the writing of a proposal, this class will teach students the relationship between overall program planning and grant writing.

(2) Proposal Writing Essentials

Designed for both the novice and experienced grant writer, this component will make each student an overall proposal writing specialist. In addition to teaching the basic components of a grant proposal, successful approaches, and the do's and don'ts of grant writing, this course is infused with expert principles that will lead to a mastery of the process. Strategy resides at the forefront of this course's intent to illustrate grant writing as an integrated, multidimensional, and dynamic
endeavor. Each student will learn to stop writing the grant and to start writing the story. Ultimately, this class will illustrate how each component of the grant proposal represents an opportunity to use proven techniques for generating support.

(3) Funding Research

At its foundation, this course will address the basics of foundation, corporation, and government grant research. However, this course will teach a strategic funding research approach that encourages students to see research not as something they do before they write a proposal, but as an integrated part of the grant seeking process. Students will be exposed to online and database research tools, as well as publications and directories that contain information about foundation, corporation, and
government grant opportunities. Focusing on funding sources and basic social science research, this course teaches students how to use research as part of a strategic grant acquisition effort.

$495.00 tuition includes all materials and certificates.

Each student will receive:
*The Funding Institute's Certificate in Professional Grant Writing
*The Guide to Successful Grant Writing
*The Grant Writer's Workbook with sample proposals, forms, and outlines

Registration Methods

1) On-Line - Complete the online registration form here and we'll send your confirmation by e-mail.

2) By Phone - Call (213) 347-4899 to register by phone. Our friendly Program Coordinators will be happy to assist you and answer your questions.

3) By E-mail - Reply to this e-mail with your name, organization, and basic contact information  and we will reserve your slot and send your Confirmation Packet.

We respect your privacy and want to ensure that interested parties are made aware of  The Funding  Institute's  programs and schedules. This is intended to be a one-time announcement. In any event, you should not receive any more announcements unless there
is a program next year in your area. To be excluded  from next year's announcement, reply to this e-mail  and write "Exclude" in the subject line.

That site also lists some partly redacted email headers, I highlight the most interesting ones:

Return-Path: newyXXX@Xpma11.org
X-Original-To: ronaldwhXXXXX@Xpambog.com
Received: from raptor.ipma11.org (unknown [])
by mx.discard.email (Postfix) with ESMTPS id 3lMjVB6cp4z1yVV
for ronaldwhXXXXX@Xpambog.com; Thu, 9 Apr 2015 02:08:02 +0200 (CEST)
Received: (qmail 32427 invoked by uid 0); 9 Apr 2015 00:05:27 -0000
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=private; d=ipma11.org;
Received: from pool-173-55-54-221.lsanca.fios.verizon.net (HELO ipma11.org) (newyXXX@Xpma11.org@
by with ESMTPA; 9 Apr 2015 00:05:27 -0000
From: The Funding Institute newyXXX@Xpma11.org
To: ronaldwhXXXXX@Xpambog.com
Subject: Grant Funding Essentials Course (July 15-17, 2015: The State University of New York)
Date: 08 Apr 2015 16:47:50 -0700
Message-ID: 20150408164749.086B4XXXXXXXXXXX@Xpma11.org
MIME-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable 
 In those headers, the server identifies itself as "ipma11.org" which is related to this scam site operating last year. You can read a RipOffReport complaint about that scheme here, which explains what I understand of the business operation quite thoroughly. The server IP address of (RaptorNode, Los Angeles) is also the same IP as used for the following nameservers:


This indicates that the email really did originate from the owners of ipma11.org (Jones and Patchrint) rather than it being a forgery. If we go further back in the email headers, we can see another IP address of which (according to DomainTools) is in La Puente, California. According to WhitePages.com that location is consistent with the Hacienda Heights address of Patchree Patchrint.

It link her with a cellphone number of (626) 330-1793 and a potential home address of 16008 Shadybend Dr Hacienda Hts, CA 91745-2229, an address which was previously mentioned in the comments of this post.

Although their website lists a contact address of "info@thefundinginstitute.org" the underlying HTML tells a different story..
<u><a href="mailto:grantfundingusa@gmail.com" data-attached-link="{"type":"Email","url":"grantfundingusa@gmail.com","title":"grantfundingusa@gmail.com"}" class="wz-link"> info@thefundinginstitute.org</a></u>
"grantfundingusa" again connects to this post for the scammy "Institute of Project Management America" scheme. The other contact details listed on the site are a telephone number of 213-347-4899  and a fax number of 877-538-3831.

As a side note, that fax number also appears on a very similar looking but defunct site using the domain projectmanagementinternational.org  (just a forwarder to another crappy free web host at projectmanagementinternational.zohosites.com) which also lists a couple of other contact numbers of 323-813-8387 and 800-288-8387 the latter of which can be seen in this spam which is almost identical to "The Funding Institute" spam.

Another point of comparison is the similarity in design elements and wording between "The Funding Institute" and "Grant Funding USA", which uses a similar compass logo and almost exactly the same wording.

Overall, there are so many similarities between "The Funding Institute" and other schemes run by Jones and Patchrint. The complaints against these two (apart from a string of failed LA restaurants) are of courses that abruptly change locations from prestigious venues to much shabbier ones, of tutors who are recruited at the last minute and are often under-prepared (some of whom claim not to have been paid) leading to low-quality courses, and of course endless spam to promote the ever-changing names of these schemes which have an awful reputation.

I would not recommend doing business with this pair, and if you think you have been treated unfairly then I suggest you take legal advice or approach law enforcement, the BBB or regulatory authorities.

Wednesday, 5 August 2015

Malware spam: "Booking Confirmation - Accumentia (16/9/15)" / "David Nyaruwa [david.nyaruwa@soci.org]"

This fake financial spam is not from SCI or Accumentia, but is instead a simple forgery with a malicious attachment:

From     David Nyaruwa [david.nyaruwa@soci.org]
Date     Wed, 05 Aug 2015 13:38:23 +0300
Subject     Booking Confirmation - Accumentia (16/9/15)

Please find attached a proforma invoice for Accumentia's booking of the council room
on 16/09/15. The deposit to confirm the booking is 25% (ie £205.50) with the balance
due by the date of the meeting.


David Nyaruwa
Project Accountant
SCI, 14-15 Belgrave Square, London, SW1X 8PS
T: +44 (0)20 7598 1536  E: mailto:david.nyaruwa@soci.org <mailto:patricia.cornell@soci.org>
W: www.soci.org
SCI - where science meets business

Phenotypic Approaches in Drug Discovery<https://www.soci.org/Events/Display-Event.aspx?EventCode=FCHEM441>,
18 March 2015, SCI, London, UK
Arrested Gels: Dynamics, Structure and Application,<https://www.soci.org/Events/Display-Event?EventCode=coll148>
23-25 March 2015, Gonville & Caius, Cambridge, UK
32nd Process Development Symposium<https://www.soci.org/Events/Display-Event.aspx?EventCode=FCHEM150>,
25-27 March 2015, Churchill College, Cambridge, UK
Reagentless Synthesis<https://www.soci.org/Events/Display-Event?EventCode=fchem440>,
1 April 2015, SCI, London, UK

For the full events listing and more information go to http://www.soci.org/Events
Note that I believe that "Accumentia" is a typo for "Acumentia" but has actually been copied from the SCI's own website verbatim.

Attached is a file named Accumentia Booking (16-9-15).doc which comes in at least two different versions [VirusTotal results 6/56 and 7/56] which contain a macro that looks like this [pastebin] and which according to Hybrid Analysis [1] [2] download malware from the following locations:


This file has a detection rate of 4/55 and the Malwr report shows that it phones home to the familiar IP of: (Reg.RU, Russia)

I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan.


Malware spam: "IMPORTANT - Document From Ofcom Spectrum Licensing" / "Spectrum.licensing@ofcom.org.uk"

This spam does not come from OFCOM but is instead a simple forgery with a malicious attachment.

From:    Spectrum.licensing@ofcom.org.uk
Date:    5 August 2015 at 07:46
Subject:    IMPORTANT - Document From Ofcom Spectrum Licensing

Dear Sir/Madam,

Please find attached an electronic version of important documents relating to your Wireless Telegraphy licence or application.

Please read the document carefully and keep it for future reference.

If any details within this letter are incorrect, please notify Ofcom Spectrum Licensing as soon as possible. It is the Licensee's responsibility to ensure all information we hold is correct and current.

If you have any enquiries relating to this document, please email

Yours faithfully,

Ofcom Spectrum Licensing
Riverside House
2a Southwark Bridge Road
London SE1 9HA

Phone: 020 7981 3131
Fax: 020 7981 3235
Textphone: 020 7981 3043 

In the sample I saw, the attachment was OFCOM_REN04_20150715_0976659.docm [VT 4/46] which contains this malicious macro [pastebin] which (according to this analysis) downloads a malware executable from:


This has a detection rate of 4/52 and automated analysis tools [1] [2] show it phoning home to: (Reg.RU, Russia)

That IP has been used for badness a few times recently and I definitely recommend that you block traffic to it. The payload is most likely to be the Dridex banking trojan.


Tuesday, 4 August 2015

Malware spam: "Need your attention"

A variety of malicious spam messages are in circulation, each with "Need your attention" in the subject. Each message has a different sender, attachment name and reference number in the subject along with some other variations. Here is an example:

From:    Hilda Buckner
Date:    4 August 2015 at 13:29
Subject:    Need your attention: OO-6212/863282

Hope you are well

Please find attached the statement that matches back to your invoices.

Can you please sign and return.
In that case, the attachment is victimname_JM_1646.doc (other messages have differently-named attachments, but all with the victim's name in them) which in this case contains this malicious macro [pastebin].

What that macro does (other ones may be slightly different) is download a VBS script from pastebin.com/download.php?i=0rYd5TK3 [link here, safe to click] which is then saved as %TEMP%\nnjBHccs.vbs.

That VBS then downloads a file from which is then saved as %TEMP%\JHVHsd.exe which currently has a detection rate of zero (MD5 = 00dca835bb93708797a053a3b540db16).

The Malwr report indicates that this phones home to (NFrance Conseil, France). The payload is probably the Dridex banking trojan.

Note that the malware also sends apparantly non-malicious traffic to itmages.ru , for example:

Therefore I would suggest that monitoring for traffic to itmages.ru is a fairly good indicator of compromise.

Malware spam: "INVOICE HH / 114954" / "haywardsheath@hpsmerchant.co.uk"

This fake invoice is not from Heating & Plumbing Supplies but is instead a simple forgery with a malicious attachment:

From     [haywardsheath@hpsmerchant.co.uk]
Date     Tue, 04 Aug 2015 12:19:56 +0200
Subject     INVOICE HH / 114954

Please find attached INVOICE HH / 114954
Automated mail message produced by DbMail.
Registered to Heating & Plumbing Supplies, License MBS2009358.

Attached is a file R-20787.doc which contains a malicious macro like this one [pastebin] that comes in at least two different versions, downloading from the following URLs:


The Hybrid Analysis reports [1] [2] give some insight as the the characteristics of the malicious document. The downloaded file has a VirusTotal detection rate of 3/55. Automated analysis [1] [2] shows traffic to the following IPs: (Reg.RU, Russia) (Iliad / Online S.A.S., France) (Selectel, Russia)

The payload is the Dridex banking trojan.

Recommended blocklist:


Monday, 3 August 2015

Malware spam: "E-bill : 6200228913 - 31.07.2015 - 0018" / "noreply.UK.ebiller@lyrecobusinessmail.com"

This fake financial spam does not come from Lyreco but is instead a simple forgery with a malicious attachment:

From:    noreply.UK.ebiller@lyrecobusinessmail.com
Date:    2 August 2015 at 03:00
Subject:    E-bill : 6200228913 - 31.07.2015 - 0018

Dear customer,

Please find enclosed your new Lyreco invoicing document nA^° 6200228913 for a total amount of 43.20 GBP, and
due on 31.08.2015

We would like to remind you that all of your invoices are archived electronically free of charge and can be reviewed by

you at any time.

For any questions or queries regarding your invoices, please contact Customer Service on Tel : 0845 7676999*.

Your Lyreco Customer Service

*** Please do not reply to the sender of this email.
This e-mail, including any attachments to it, may contain company confidential and/or personal information.
If you have received this e-mail in error, you must not copy, distribute, or disclose it, use or take any action based on the
information contained within it.

Please notify immediately by return e-mail of the error and then delete the original e-mail by replying to
wise.cs.iqt@lyreco.com ***
The attachment is named 0018_6200228913.docm which contains a malicious macro like this one [pastebin]. So far I have seen three different variants (Hybrid Analysis reports [1] [2] [3]) which then go and download a malicious binary from one of the following locations:


All of these sites are hosted on (OVH, France). The binary has a detection rate of 4/55. This Malwr report shows it phoning home to (FastVPS, Estonia). The payload is probably the Dridex banking trojan.

Recommended blocklist:


Saturday, 1 August 2015

Spam: Countrywide Money Ltd (countrywidemoney.co.uk)

You know things must be desperate when a business turns to spam. Here's a dubious-looking spam that seems to be presenting itself in a way that looks like a get-rich-quick scheme.

From:    Countrywide Money [info@countrywidemoney.co.uk]
Reply-To:    Info@countrywidemoney.co.uk
Date:    1 August 2015 at 05:11
Subject:    Extra Income FOR YOU!

For further information on registration to become an agent, please call our introducer help Desk on 0800 195 3757; to Unsubscribe Click Here!

Incidentally, the Unsubscibe link doesn't work. Tsk tsk.

Now, I'm sure this is a legitimate business offer and not some sort of scam. But all those banknotes and the general pitch seems to suit an operation in Lagos rather than one in the UK. So, what can we find out about this Countrywide Money Ltd?

Let's start with the WHOIS details for the domain countrywidemoney.co.uk:

Domain name:

Countrywide Money

Registrant type:
UK Individual

Registrant's address:
The registrant is a non-trading individual who has opted to have their address omitted from the WHOIS service.

A non-trading individual? Let's look at that web site for a moment..

Well, it doesn't look like a personal homepage to me. But we can look up the details of Countrywide Money Ltd at Companies House to see what we can find. It turns out that the sole director is one "Tony Edwards" who should presumably be listed on the domain WHOIS:

Appointed: 07/06/2012
Date of Birth: 24/10/1972
Nationality: BRITISH
No. of Appointments: 3
AL10 8DE
Country/State of Residence: UNITED KINGDOM

Let's have a look at the flashy offices in Hatfield, eh? Oh.. it looks like a residential address.

A bit of a disappointment really as the web site and brochure look so promising. A little bit more digging at DueDil shows some equally disappointing looking financials.


One other odd thing, the "About Us" page says that they were founded in 2002..

But Companies House says they were only incorporated in 2012:

That's kind of.. odd. There must be some rational explanation for the discrepancy.

Anyway, I'm not sure why this person feels that promoting their business through spam is appropriate. I certainly won't be signing up to this scheme.

UPDATE 6/2/16

Somebody claiming to be Tony Edwards has made several angry comments on the end of this post, but has not addressed the simple query of where they got their mailing list from. This somewhat incoherent, ill-informed and badly spelled comments cumulated in something that could easily be misinterpreted as a threat of blackmail and even violence.

These comments are connected to a Google+ profile that looks to be genuine, but it is possible I suppose that they are coming from an imposter. My personal opinion is that if they are genuine then they simply show how unprofessional Mr Edwards is.

An explanation as to how the spam email ended up with a non opt-in address would be good. An apology for spamming would be perfectly acceptable. Threats are not.