Sponsored by..

Friday, 6 November 2015

Malware spam: "Payment Notification" / "Sarah Jeffes [messages.4143072.154255.7c0a97a59f@messages.netsuite.com]"

This fake financial spam has a malicious attachment:

From:    Sarah Jeffes [messages.4143072.154255.7c0a97a59f@messages.netsuite.com]
Date:    6 November 2015 at 11:55
Subject:    Payment Notification

Dear Supplier,

Please find attached remittance advice for payment to be processed in your account today.

Kind Regards,
Accounts
Kind Regards Macarthur Gas Pty Ltd.

Attached is a file Bill Payment_00001081_8.xls which in the samples I have seen is identical to the payload of this other spam run going on today.

Malware spam: "Invoice #00004232; From Timber Solutions" / "Kes [kerryadamson@bigpond.com]"

This fake invoice does not come from Timber Solutions but is instead a simple forgery with a malicious attachment:
From:    Kes [kerryadamson@bigpond.com]
Date:    6 November 2015 at 11:07
Subject:    Invoice #00004232; From Timber Solutions

Hi, please find attached our invoice for goods ordered under Order
No. 11146, which will be delivered tomorrow.  Please pay into the
account, details of which are at the foot of the invoice.  Kes
Attached is a file ESale.xls which I have seen just a single variant of across multiple emails. This has a VirusTotal detection rate of 3/54 and contains this malicious macro [pastebin], which (according to this Hybrid Analysis report) downloads a binary from:

advancedgroup.net.au/~incantin/334g5j76/897i7uxqe.exe

..this is saved as %TEMP%\tghtop.exe and has a detection rate of... errr.. zero. Automated analysis of this binary [1] [2] shows network traffic to:

89.108.71.148 (Agava Ltd, Russia)

I strongly recommend that you block traffic that that IP. The payload is most likely to be the Dridex banking trojan.

MD5s:
39fe24d2055f88cff39e27abd7dc5132
6c21a09c80e076ec5b60b7415135ae7a


Malware spam: "Your latest e-invoice from TNT 4677602495 2722813" / "eInvoicing" [groupadminstubbinsDONOTREPLY@tnt.com]

This fake financial invoice does not come from TNT but is instead a simple forgery with a malicious attachment:

From     "eInvoicing" [groupadminstubbinsDONOTREPLY@tnt.com]
Date     Fri, 6 Nov 2015 12:53:01 +0200
Subject     Your latest e-invoice from TNT 4677602495 2722813

PLEASE DO NOT RESPOND - Emails to this address are not monitored or responded to.

Please find attached your TNT Invoice. Please note that our standard payment terms
require cleared funds in our account by the 15th of the month following the month
of invoice.

IMPORTANT CONTACT DETAILS

To register an invoice query please contact us at ukinvoicequeries@tnt.co.uk

To forward a remittance advice or confirm payment please contact us at tntuk.cash.allocation@tnt.com

To set up a Direct Debit plan please contact us at tntdirectdebit@tnt.co.uk

For quick and easy access to your invoices simply log in using your user name and
password to https://express.tnt.com/eInvoicing and you'll be able to view and download
your electronic invoices immediately.

If you have forgotten your user name or password please follow the above link where
you will be able to reset your log-in details. If you are experiencing any technical
issues with your e-Invoicing account please contact us at ukeinvoice@tnt.co.uk

Rest assured, we operate a secure system, so we can confirm that the invoice PDF
originates from TNT and is authenticated with a digital signature. Thank you for
using e-invoicing with TNT the smarter, faster, greener way of processing invoices.

---------------------------------------------------------------------------------------------------------------
This message and any attachment are confidential and may be privileged or otherwise
protected from disclosure.
If you are not the intended recipient, please telephone or email the sender and delete
this message and any attachment from your system.
If you are not the intended recipient you must not copy this message or attachment
or disclose the contents to any other person.
Please consider the environmental impact before printing this document and its attachment(s).
Print black and white and double-sided where possible.
----------------------------------------------------------------------------------
The attached file is inv6219014291_0519182.zip, although I don't have a sample of that at the moment. The payload is likely to be the Upatre downloader leading to the Dyre banking trojan.

Thursday, 5 November 2015

Malware spam: "Document from AL-KO" / info@alko.co.uk

This spam does not come from AL-KO but is instead a simple forgery with a malicious attachment:

From     [info@alko.co.uk]
Date     Thu, 05 Nov 2015 16:33:40 +0530
Subject     Document from AL-KO

This document is DOC created by Osiris OSFAX(R) V3.5.
It can be viewed and printed with Microsoft Word(R)

Document from AL-KO.doc
Attached is a file Document from AL-KO-01.doc which probably comes in many different versions, but I've only had the chance to run two through analysis. Both are undetected by any AV vendor [1] [2] at present. The structure of the document seems unusual and I am having some difficulties seeing the malicious macros, but these two Hybrid Analysis reports [3] [4] show the macro in action, downloading from:

members.dodo.com.au/~mfranklin17/f75f9juu/009u98j9.exe
www.mazzoni-hardware.de/f75f9juu/009u98j9.exe


There will be other locations too, all downloading the same binary with a detection rate of 4/54 (MD5 39f7827813ac9bc74a4a9176c9e80487) Other automated analyses [5] [6] show network traffic to:

128.199.122.196 (Digital Ocean, Singapore)
75.99.13.123 (Cablevision, US)


The payload appears to be the Dridex banking trojan.

Recommended blocklist:
128.199.122.196
75.99.13.123

Wednesday, 4 November 2015

Malware spam: "Email from Transport for London" / noresponse@cclondon.com

This fake Transport for London spam is a variation of something used before. It does not actually come from TfL, but is a simple forgery with a malicious attachment:

From     "Transport for London" [noresponse@cclondon.com]
Date     Wed, 4 Nov 2015 14:33:44 +0100
Subject     Email from Transport for London

Dear Customer

Please open the attached file to view correspondence from Transport for London.

If the attachment is in PDF format you may need Adobe Acrobat Reader to read or download
this attachment. If you require Adobe Acrobat Reader this is available at no cost
from the Adobe Website www.adobe.com

Thank you for contacting Transport for London.

Business Operations
Customer Service Representative

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.

This email and any attachment are intended solely for the addressee, are strictly
confidential and may be legally privileged. If you are not the intended recipient
any reading, dissemination, copying or any other use or reliance is prohibited. If
you have received this email in error please notify the sender immediately by email
and then permanently delete the email.

Attached is a file 6305093.zip of which I have seen just one sample, containing a malicious executable 6305093.scr (MD5 6a4cce90ba28720fa9e6813f681b1f75) which has a VirusTotal detection rate of 7/54. This Hybrid Analysis report shows it communicating with the well-known malicious IP address of 197.149.90.166 (Cobranet, Nigeria) which I recommend you block.

The payload here seems to be Upatre dropping the Dyre banking trojan.

Tuesday, 3 November 2015

Malware spam: "New Invoice from Documents Online" / "Documents Online Limited" [sales@documentsonline.co.uk]

This fake financial spam has a malicious attachment:

From     "Documents Online Limited" [sales@documentsonline.co.uk]
Date     Tue, 3 Nov 2015 17:24:30 +0530
Subject     New Invoice from Documents Online

Dear Customer,

This is a notice that an invoice has been generated against your account, details
of the invoice are as follows:

Invoice #241
Amount Due: 90.00GBP
Due Date: 01/12/2015
Payment Method: Bank Transfer

Invoice Items

[redacted] (01/12/2015-31/12/2015) 75.00GBP

------------------------------------------------------
Sub Total: 75.00GBP
20.00% UK VAT: 15.00GBP
Credit: 0.00GBP
Total: 90.00GBP
------------------------------------------------------

Please find attached a copy of this invoice in PDF format for your records.

IMPORTANT: Please open the attached file using your temporary password. Your temporary
password is: UCZ941QXO941

If you have a Direct Debit setup via our payment gateway GoCardless, payment will
be taken automatically on or shortly after the invoice due date. Alternatively payment
can be made in one of the following ways:

1) Online via Credit/Debit card by clicking this link: http://www.documentsonline.co.uk/clients/viewinvoice.php?id=241

2) Bank Transfer:

    Lloyds TSB, PO Box 1000, BX1 1LT
    Account: Documents Online Limited
    Sort: 30-94-47
    Account: 39921360

3) Setting up a Direct Debit using our payment gateway GoCardless by following these
steps:

a) Click this payment link: http://www.documentsonline.co.uk/clients/viewinvoice.php?id=223
(you will need your portal login details).
b) You will be presented with the invoice, click the "Create Subscription" button
top right of the invoice.
c) You will then be automatically redirected to the Go Cardless website, follow the
instructions on screen to setup a recurring direct debit payment.

Thank you for your business and we look forward to receiving your payment.

Kind Regards,

Documents Online Limited
www.documentsonline.co.uk
Attached is a password-protected ZIP file Invoice-241.zip (in the case, the password is UCZ941QXO941) which in turn contains a malicious executable Invoice-241.zip.exe (MD5 c5770e371cdfde80dc87187b249b19ea) which appears to be undetected at present.

Analysis of the binary is pending, but it will be nothing good.

UPDATE:
This Hybrid Analysis report shows traffic consistent with Upatre dropping the Dyre banking trojan, including traffic to the well known bad IP of:

197.149.90.166 (Cobranet, Nigeria)

Malware spam: "Delivery Confirmation: 0068352929" / "ACUVUE_DEL [ship-confirm@acuvue.com]"

This fake financial spam does not comes from Acuvue, but is instead a simple forgery with a malicious attachment:

From     ACUVUE_DEL [ship-confirm@acuvue.com]
Date     Tue, 03 Nov 2015 12:26:17 +0200
Subject     Delivery Confirmation: 0068352929

PLEASE DO NOT REPLY TO THIS E-MAIL.  IT IS A SYSTEM GENERATED MESSAGE.

Attached is a pdf file containing items that have shipped
Please contact us if there are any questions or further assistance we can provide
Attached is a file Advance Shipping Notification 0068352929.DOC which my sources (thank you, btw) say comes in four different versions, although I have only seen three (VirusTotal results [1] [2] [3], Hybrid Analysis results [4] [5] [6])  containing a macro that looks like this [pastebin]. The download locations are:

builders-solutions.com/45gce333/097j6h5d.exe
goalaskatours.com/45gce333/097j6h5d.exe
www.frontiernet.net/~propertiespricedtosell/45gce333/097j6h5d.exe
www.prolococopparo.it/45gce333/097j6h5d.exe


This malicious binary has a VirusTotal detection rate of 6/54. That VT report and this Hybrid Analysis report show network communications to the following IPs:

128.199.122.196 (Digital Ocean, Singapore)
75.99.13.123 (Cablevision, US)
198.74.58.153 (Linode, US)
221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)


The payload is most likely to be the Dridex banking trojan.

Recommended blocklist:
128.199.122.196
75.99.13.123
198.74.58.153
221.132.35.56

MD5s:
c6cefd2923164aa14a3bbaf0dfbea669
8de322b1fb6a2cc3cbe237baa8d5f277
110d5fde265cd25842b63b9ec4e57b3c
dcf4314773c61d3dde6226a2d67424e8
274695746758801bfb68f46f79bfb638






Monday, 2 November 2015

Scam: "European Trademark Publication" / "ETP" / "etp-publication.com"

A little while ago I registered a trademark. I was a bit surprised to see a small flurry of scammers following that up (by snail mail), sending me what to all intents and purposes are fake invoices. Here is one of them.

In the greyed-out text at the bottom, you can just about read the bit where they give the game away..


Basically, this "ETP" outfit is saying.. send us £930 for no reason at all. Avoid.

Malware spam: "Purchase Order 37087-POR" / "Margaret Wimperis [MargaretWimperis@biasbinding.com]"

This fake financial spam does not come from K. Stevens (Leicester) Ltd but is instead a simple forgery with a malicious attachment.

From     Margaret Wimperis [MargaretWimperis@biasbinding.com]
Date     Mon, 02 Nov 2015 18:28:23 +0700
Subject     Purchase Order 37087-POR

Hi
Please confirm receipt of order
Kind regards
Margaret


-----------------------------
K. Stevens (Leicester) Ltd. Portishead Road, Leicester LE5 0JL Reg. No. 3125088
This email and any attachments are believed to be virus free, however
recipients are responsible for appropriate virus checks. The email and
attachments are confidential to the addressee and unauthorised use, copying or
retention by others is prohibited. The views expressed by the author are not
necessarily those of  K. Stevens (Leicester) Ltd.

-----------------------------
Attached is a file PORDER.DOC which comes in three different versions (although I only have two samples [1] [2]) containing a malicious macro similar to this one [pastebin], which download a binary from the following locations:

saltup.com/34g3f3g/68k7jh65g.exe
landprosystems.com/34g3f3g/68k7jh65g.exe
jambidaily.com/34g3f3g/68k7jh65g.exe


This binary has a detection rate of 4/55 and according that that VirusTotal report, this reverse.it report this Malwr report it contacts the following IP:

128.199.122.196 (DigitalOcean, Singapore)

I strongly recommend that you block that IP. The payload is likely to be the Dridex banking trojan.

MD5s:
eb7df68bd7eb7cf2968cf541af3472d6
fca7c5a1b7fc754588da67c04d225504
6e07bb7f248492d54fdd604ca29da776
867295e266fc496572e42c9cd6281132


Friday, 30 October 2015

Malware spam: "Purchase Order 0000035394 customer 09221" / "Clare Harding" [purchasing@carterspackaging.com]

This fake financial spam does not come from Carters Packaging Ltd but is instead a simple forgery with a malicious attachment.

From     "Clare Harding" [purchasing@carterspackaging.com]
Date     Fri, 30 Oct 2015 16:42:26 +0530
Subject     Purchase Order 0000035394 customer 09221

Purchase Order 0000035394

Dear customer,

Please find attached a copy of our order (reference 0000035394), your
reference .

If you have any questions regarding the purchase order please contact us
using the details below.

CLARE HARDING

Purchasing Manager
Carters Packaging Ltd, Packaging House, Wilson Way, Pool, Redruth, Cornwall,
TR15 3RT
Fax: +44 (0) 1209 315 600
www.carterspackaging.com

purchasing@carterspackaging.com
Attached is a file Purchase Order 0000035394.doc which apparently comes in several different versions, although all the samples I saw had the same attachment with a VirusTotal detection rate of 5/55 and which contained this malicious macro [pastebin].

Download locations for all the document versions (h/t to my source) are:

malajsie.webzdarma.cz/45y3f34f/7jh4wqd.exe
fa31.linux-hosting.de/45y3f34f/7jh4wqd.exe
ankarasogukhavadepo.com/45y3f34f/7jh4wqd.exe
selimkaucuk.com/45y3f34f/7jh4wqd.exe


It looks like this is saved as %TEMP%\httsser.exe and it has a VirusTotal detection rate of 5/55. That VirusTotal report and this reverse.it report show that it generates network traffic to:

221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)

I strongly recommend that you block access to that IP. The payload appears to be the Dridex banking trojan.

MD5s:
a5c52bd47f7fdfd54a2584a669eabe59
337435ffd7a94ce05bea59c0d312e5b3
48dde939b402533d37065bc606ed45a1
d3b4f459d089e6afd52d5650c31aa25e
e70ae9099a5e6daef41fd8dc15191756

Carters Packaging are on the ball and have put a big notice on their site, which is nice work.


Thursday, 29 October 2015

Malware spam: "Domain [domain] Suspension Notice" / abuse@enom.com.org

There appear to be many versions of this spam, aimed at domain owners and apparently coming from the actual registrar of the domain. For added authenticity, the owner's name is included in the spam. Here is one example that I got.. it would have been very convincing, except that I had the heads up on this attack a couple of day ago.

From:    ENOM, INC. [abuse@enom.com.org]
Date:    30 October 2015 at 04:11
Subject:    Domain LAPTOP-MEMORY.COM Suspension Notice

Dear Sir/Madam,

The following domain names have been suspended for violation of the ENOM, INC. Abuse Policy:

Domain Name: LAPTOP-MEMORY.COM
Registrar: ENOM, INC.
Registrant Name: CONRAD LONGMORE

Multiple warnings were sent by ENOM, INC. Spam and Abuse Department to give you an opportunity to address the complaints we have received.

We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

Click here and download a copy of complaints we have received.

Please contact us for additional information regarding this notification.

Sincerely,
ENOM, INC.
Spam and Abuse Department
Abuse Department Hotline: 480-406-7704
In this case, clicking on the link goes to edecisions.com/abuse_report.php?LAPTOP-MEMORY.COM and downloads a file LAPTOP-MEMORY.COM_copy_of_complaints.pdf.scr - it looks more authentic because the domain name is in the file download, but in fact you can specify any domain name and it gives a matching file.

Before we look at the analysis of the downloaded executable, let's look at the domain name edecisions.com. It looks like the sort of domain that might contain abuse reports, but in fact it is a hijacked GoDaddy domain hosted on 65.78.174.100 and a quick look at VirusTotal indicates that one of the other 4 sites on the same server was also compromised and was serving up malware in 2013. This is definitely a good candidate to block.

The downloaded file has a VirusTotal detection rate of 2/55. Automated analysis tools [1] [2] [3] indicate that whatever the hell this is, it tries to contact a LOT of other servers. We can see that the following domain names are accessed (mostly POST attempts):

0tv.co
abettertravelagent.com
agentclicktocall.com
airconditioning12601.com
all-inclusiveresortstravel.com
allgroupstravel.com
allreadytravel.com
ameliastyle.com
anabolicsteroidsrx.com
anunciamicasa.com
aprovechatudia.com
armangarzon.info
beachhouseplans.com
bigboattravel.com
biznal.com
bloccailmutuo.com
boilersandfurnaces.com
breakerhub.com
breathtakingsolutions.com
brindegenie.com
cameroonmarket.com
camirate.com
carltonchambers.co.uk
certifiedphytoceramides.com
chuckwhitlock.com
ciiapparelblog.com
circuitbreakerhub.com
colebar.com
cpasolutiononline.com
cruiseandtravel.agency
cruises-travelandmore.com
cruisetravelpros.com
cruisewithdawn.com
cruisingatdawn.com
cywellness.com
dallascircuitbreaker.co
dallascircuitbreaker.com
dallaselectricalsurplus.com
dallasreconditionedtransformers.com
dangerousgarciniacambogia.com
dawat-restaurant.com
designbrossard.com
designingartinstitute.com
designtravelagency.com
destinycruiseandtravel.com
enterrealtyny.com
superfunshoes.com
tarkshyainc.com

Note that almost everything is in the A-D range, which makes me suspect that this is only a fraction of the compromised domains. If we look at the IP addresses of those domains, then it gets even more interesting:

50.87.144.249 (Unified Layer, US)
50.87.151.145 (Unified Layer, US)
108.167.140.175 (WebSiteWelcome, US) [13 instances]
162.144.0.215 (Unified Layer, US)
162.144.12.115 (Unified Layer, US)
192.185.5.33 (WebSiteWelcome, US) [2 instances]
192.185.16.67 (WebSiteWelcome, US) [7 instances]
192.185.19.115 (WebSiteWelcome, US)
192.185.21.162 (WebSiteWelcome, US)
192.185.22.63 (WebSiteWelcome, US) [4 instances]
192.185.90.237 (WebSiteWelcome, US)
192.185.101.210 (WebSiteWelcome, US)
192.185.140.214 (WebSiteWelcome, US)
192.185.152.133 (WebSiteWelcome, US) [2 instances]
192.185.183.81 (WebSiteWelcome, US)
192.185.226.164 (WebSiteWelcome, US)
192.254.186.85 (WebSiteWelcome, US) [2 instances]
192.254.231.138 (WebSiteWelcome, US)
192.254.234.204 (WebSiteWelcome, US)
198.57.242.171 (Unified Layer, US) [4 instances]
198.57.244.38 (Unified Layer, US)
208.109.119.156 (GoDaddy, US)

A check of those WebSiteWelcome and Unified Layer IPs on VirusTotal (for example 192.185.226.164) indicates several compromised domains on the same server, indicating that the entire box has been popped.

It isn't clear what the payload is, but given the fact that it is aimed at domain owners and given the unusual characteristics of the malware, I can make a guess that it is some sort of password stealer, possibly harvesting domains or server admin credentials. If you are not using multi-factor authentication for your domains, then perhaps now would be a good time to choose to do so.

Recommended blocklist:
50.87.144.249
50.87.151.145
108.167.140.175
162.144.0.215
162.144.12.115
192.185.5.33
192.185.16.67
192.185.19.115
192.185.21.162
192.185.22.63
192.185.90.237
192.185.101.210
192.185.140.214
192.185.152.133
192.185.183.81
192.185.226.164
192.254.186.85
192.254.231.138
192.254.234.204
198.57.242.171
198.57.244.38
65.78.174.100

UPDATE:

The payload appears to be the Cryptowall ransomware.

Malware spam: "Documents for Review and Comments" / Pony / eyeseen.net

This fake document scan email has a malicious attachment:

From:    Sarah [johnson@jbrakes.com]
Date:    29 October 2015 at 08:27
Subject:    Documents for Review and Comments

Hi Morning,

Attached are the return documents.

Call me if you need anything.

See you soon. :)


Sarah
The attached file is SCANNED DOCS,jpg.z which is a type of compressed file. If you have the right file decompression software, it will extact a malicious executable SCANNED DOCS,jpg.exe which has a VirusTotal detection rate of 17/55.

According to various automated analysis tools [1] [2] [3] it drops a file %TEMP%\XP000.TMP\M.exe which itself has a detection rate of 19/54. Out of all the standard analysis tools I have used, only Comodo CAMAS identified the network traffic, a POST to:

eyeseen.net/swift/gate.php

This is hosted on a SoftLayer IP of 198.105.221.5 in Singapore. A quick look at VirusTotal indicates a lot of badness on this IP address, so it is probably one worth blocking.

The payload is Pony / Fareit, which is basically a password stealer.

MD5s:
25a322b9ea5c709c4376bf58527f198a
efc7210f7dbce441f74e3c9f07f28a2e
79ca99c3f751ae334d0340284242e4f6



Wednesday, 28 October 2015

Malware spam: "Don and Carol Racine" / "www.boatclinic.net" / "boatclinic@aol.com"

This fake financial spam is not from Racine Design Inc but is instead a simple forgery with a malicious attachment:

From     [random]
Date     Wed, 28 Oct 2015 10:39:26 +0100
Subject     [random]

 Dear :
Boat has been done a week now. I contacted you last week
The
Boat is ready to pick up,  I have had inquiries as to people wanting to
buy it,
the carb is in your possession and there is no way to run it,
The boat could
sell real easy at this time of year , Memorial day to 4th of
July most boats
are sold.
Please call me to arrange payment and pickup of the Boat ,
If you
need me to store the boat I can do that at the storage facility ,
they do
charge a fee for this 7.00 per day
The other Invoice for the embroidery will
follow , Balance is due now !
Thanks

Your invoice is attached.  Please
remit payment

Thank you for your business - we appreciate it very
much.


Sincerely,
Don and Carol Racine

Racine Design, Inc.
2036 Imeson
Rd
Jacksonville, Fl.  32220

E-Mail  
boatclinic@aol.com

www.boatclinic.net

phone    (904) 771-8170
fax       
(904) 771-0843
The subject of the email is some randomly-generated sentence, which matches the name of the attached ZIP file. I have seen two samples so far with a detection rate of 3/55 and 2/55 respectively.

Analysis of the binary is pending (please check back), but the payload here is Upatre/Dyre which commonly calls back to 197.149.90.166 (Cobranet, Nigeria), an IP I strongly recommended that you block.

UPDATE:

The reverse.it report shows that the malware does indeed call back to that Nigerian IP address.

Malware spam: eFax message from "Booking.com - HylaFa" - 1 page(s), Caller-ID: 031207944200

This fake fax spam comes with a malicious attachment:

From:    eFax [message@inbound.efax.com]
Date:    28 October 2015 at 10:08
Subject:    eFax message from "Booking.com - HylaFa" - 1 page(s), Caller-ID: 031207944200



eFax


Fax Message [Caller-ID: 031207944200]
You have received a 1 page fax at 2015-10-28 08:57:17 GMT.
* The reference number for this fax is lon1_did14-1445421403-1407880525-89.
View this fax using your Microsoft Word.
Please visit www.efax.com/en/online_fax_FAQ if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home     Contact     Login
Powered by j2
© 2013 j2 Global, Inc. All rights reserved.
eFax® is a registered trademark of j2 Global, Inc.
This account is subject to the terms listed in the eFax® Customer Agreement.



FAX_20151028_1445421437_89.doc
99K


The attachment FAX_20151028_1445421437_89.doc is the same as used in this spam run and the payload is the Dridex banking trojan.

Malware spam: "Thank you for your order" / "DoNotReply@ikea.com"

This fake order spam does not come from IKEA but is instead a simple forgery with a malicious attachment.

From:    DoNotReply@ikea.com
Date:    28 October 2015 at 08:57
Subject:    Thank you for your order


IKEA
IKEA UNITED KINGDOM

Order acknowledgement:


To print, right click and select print or use keys Ctrl and P.

Thank you for ordering with IKEA Shop Online. Your order is now being processed. Please check your order and contact us as soon as possible if any details are incorrect. IKEA Customer Relations, Kingston Park, Fletton, Peterborough, PE2 9ET. Tel: 0203 645 0015
Total cost:
£122.60
Delivery date:
30-10-2015
Delivery method:
Parcelforce
We will confirm your delivery date by text,email or telephone within 72 hrs.
Order/Invoice number:
607656390
Order time:
8:31am GMT
Order/Invoice date:
30-10-2015
Legal information
Please note that this email does not mean that we have accepted your order and it does not form a binding contract. A contract will be formed between You and IKEA at the time we dispatch your order to you, with the exception of made to order sofas and worktops where order acceptance occurs at the point when we send you our Delivery Advice email.
Your order is subject to IKEAs Terms of use and Return Policy
This is an email from IKEA Ltd (Company Number 01986283) whose registered office address is at Witan Gate House 500-600 Witan Gate West, Milton Keynes MK9 1SH, United Kingdom.
IKEA VAT Number: 527 7733 20
This email is your VAT receipt, please print a copy for your records.
IKEA Ltd does not accept responsibility for the accuracy or completeness of the contents of this email as it has been transmitted over a public network.


Attached is a file IKEA receipt 607656390.doc which contains this malicious macro and which has a VirusTotal detection rate of 4/55.

Analysis of the document and whatever it downloads is pending, but this is likely to be the Dridex banking trojan.

UPDATE 1:

The reverse.it analysis  of the first sample shows a download from:

alvarezsantos.com/4f67g7/d6f7g8.exe

This dropped binary has a detection rate of just 2/55.

Two further samples have now been seen (VT results [1] [2]) and according to the analysis of one them, it downloads from:

experassistance.fr/4f67g7/d6f7g8.exe

Analysis of the dropped binary is pending. Please check back shortly.

UPDATE 2:

A further reverse.it analysis shows another download location of:

www.retrogame.de/4f67g7/d6f7g8.exe

The reverse.it analysis of the dropped binary is inconclusive.

UPDATE 3:

According to sources clever than I, this doesn't appear to be Dridex at all, but Neutrino Bot / Kasidet which downloads the Shifu banking trojan in the UK.

Tuesday, 27 October 2015

Malware spam: "ZFRSSE - CMS Collateral Report(s) as of 10/27/2015" / "frs-cms-mailer@olen.frb.org"

This fake financial email.. whatever the heck it is pretending to be.. is not from the Federal Reserve System, but is instead a simple forgery with a malicious attachment.

From:    frs-cms-mailer@olen.frb.org
Date:    27 October 2015 at 17:32
Subject:    ZFRSSE - CMS Collateral Report(s) as of 10/27/2015

You have received electronic delivery of the attached CMS Collateral Report(s) from the Federal Reserve System.
______________________________________________________________________

Note: This is an automated message and replies to this mailbox will not be answered.  Questions concerning this message can be directed to your Federal Reserve Bank contact.  This communication and all attachments hereto contain sensitive and confidential information.  As a result, this communication has been encrypted in transit.  This communication is intended solely for the use of the addressee and should be handled in accordance with applicable policies and procedures.  If you have received this communication in error please delete or destroy all copies of it.

This message was secured in transit.  ZFRSSE_20151027173233
-------------------------------------------------------------------------
This message was secured by ZixCorp(R).
This message center is strictly for use by current Federal Reserve System business partner and customer employees, any other use of this system is strictly prohibited.
The attachment in the sample I saw was named CMS Collateral Report_20151027173233.doc which has a VirusTotal detection rate of 4/55. The comments in that report point to another VirusTotal report indicating that it drops Upatre.. but unusually, this code appears to have a valid Comodo certificate.

In turn, this drops a version of the Dyre banking trojan with a detection rate of 5/56.

Malware spam: "id:9828_My_Resume"

This fake résumé spam comes with a malicious attachment. It seems that the names are randomly-generated from a list.

From:    Trinh [zhanxing1497kcuo@163.com]
Date:    27 October 2015 at 18:30
Subject:    id:9828_My_Resume
Signed by:    163.com

Good afternoon!!! my name is Bobette Gloster. my resume is doc file.
I would appreciate your immediate attention to this matter.
Yours faithfully
Bobette Gloster
In this case the attachment was named Bobette_resume_1817.doc however this will vary. The VirusTotal analysis of the document gives a detection rate of 8/55, mostly detecting a generic macro downloader.

The macro looks like this [pastebin] and the Hybrid Analysis of the document shows traffic coming FROM 46.30.41.150 (EuroByte LLC, Russia) and being POSTED to the following:

all-inclusiveresortstravel.com
designtravelagency.com
bigboattravel.com
cpasolutiononline.com
ciiapparelblog.com

The first three are on 108.167.140.175 and the second two are on 192.185.101.210 which are both allocated to WebSiteWelcome customers. I would assume that those two servers are completely compromised.

The Hybrid Analysis report shows that the malware has some characteristics that make it look like ransomware.

Recommended blocklist:
46.30.41.150
108.167.140.175
192.185.101.210

UPDATE:
This Tweet indicates that the payload is Cryptowall.

BizSummits aka ExecSummits LLC whacks former employee with lawsuit

I've written about BizSummits aka ExecSummits LLC many times before, exposing their habit of sending spam (which I haven't seen any of lately to be fair) and other questionable business practices. By accident I discovered that in September, ExecSummits file a lawsuit [Techdirt] against former employee Michael Healy.

Techdirt does a reasonable job at bringing together various bits and pieces to explain what is occurring and the background to the story. Worth a read IMO.

PACER fees being what they are, I've uploaded the documents for 1:15-cv-03199-MHC here [zip] if you want to have look.

Malware spam: "RBS Cardholder Application Form" / "Wm Palmer" [Wm.Palmer@sunderland.gov.uk]

This fake financial spam does not come from Sunderland City Council, but is instead a simple forgery with a malicious attachment:

From     "Wm Palmer" [Wm.Palmer@sunderland.gov.uk]
Date     Tue, 27 Oct 2015 18:39:34 +0700
Subject     RBS Cardholder Application Form

Dear Customer,



We now have the go ahead from Corporate Procurement to apply to RBS for your Corporate
Purchase Card. Please find attached the RBS application form which requires your
signature as cardholder on page 2. Also please add the date. Once done can you scan
the document and email it back to me or alternatively post it back to me c/o Purchase
Card Administration Team, Transactional Finance, Room 1.34, Civic Centre, Sunderland
SR2 7DN.



Kind regards,

Wm.
Wm Palmer
Purchase Ordering Officer
Commercial and Corporate Services
Sunderland City Council

Tel: 0191 5617588
www.sunderland.gov.uk

Sunderland City Council: Sunderland Home Page

The Sunderland City Council website is for anyone living, working, visiting or wanting
to invest in Sunderland - a great city by the sea with a balanced way of life ...

Read more...

Attached is a file New_Cardholder_Application_Wm_Palmer.zip containing a malicious executable New_Cardholder_Application.scr - which is exactly the same malware as used in this other fake council spam run today.

Malware spam: "Cyngor Sir Ddinbych - Taliad BACS / Denbighshire CC - BACS Remittance" / credbills@denbighshire.gov.uk

I've never had malware spam in Welsh before.. this is not from Denbighsire County Council, but is instead a simple forgery with a malicious attachment:

From     "credbills@denbighshire.gov.uk" [credbills@denbighshire.gov.uk]
Date     Tue, 27 Oct 2015 17:46:01 +0530
Subject     Cyngor Sir Ddinbych - Taliad BACS / Denbighshire CC - BACS Remittance

Gweler manylion taliad BACS yn atodedig

Please see attached Bacs Remittance

Dilyn ni ar Twitter: http://twitter.com/cyngorsDd Follow us on Twitter: http://twitter.com/DenbighshireCC
Ymwelwch a ni ar-lein ar http://www.sirddinbych.gov.uk Visit us online at http://www.denbighshire.gov.uk
Mae'r wybodaeth a gynhwysir yn yr e-bost hwn ac unrhyw ffeiliau a drosglwyddir gydag
o wedi eu bwriadu yn unig ar gyfer pwy bynnag y cyfeirir ef ato neu atynt. Os ydych
wedi derbyn yr e-bost hwn drwy gamgymeriad, hysbyswch yr anfonwr ar unwaith os gwelwch
yn dda. Mae cynnwys yr e-bost yn cynrychioli barn yr unigolyn(ion) a enwir uchod
ac nid yw o angenrheidrwydd yn cynrychioli barn Cyngor Sir Ddinbych. Serch hynny,
fel Corff Cyhoeddus, efallai y bydd angen i Gyngor Sir Ddinbych ddatgelu'r e-bost
hwn [neu unrhyw ymateb iddo] dan ddarpariaethau deddfwriaethol. The information contained
in this e-mail message and any files transmitted with it is intended solely for the
use of the individual or entity to whom they are addressed. If you have received
this e-mail in error please notify the sender immediately. The contents of this e-mail
represents the views of the individual(s) named above and do not necessarily represent
the views of Denbighshire County Council. However, as a Public Body, Denbighshire
County Council may be required to disclose this e-mail [or any response to it] under
legislative provisions.
Attached is a file DenbighshireCC.zip which contains a malicious executable DenbighshireCC.scr. This has a VirusTotal detection rate of 5/55. The Hybrid Analysis report shows characterstics common to the Upatre/Dyre banking trojan. In particular it identifies traffic to a know bad IP:

197.149.90.166 (Cobranet, Nigeria)

I strongly recommend that you block traffic to that IP.



Monday, 26 October 2015

Fake seminar sites to avoid, registered to vravindhar@yahoo.com

A contact tipped me off to some fake financial seminar sites, all linked to the email address vravindhar@yahoo.com. They are promoted in spam emails similar to these:

From: rob.koster@fatcacomplianceinstitute.com [mailto:rob.koster@fatcacomplianceinstitute.com]
Sent: Wednesday, August 05, 2015 8:33 AM
To: redacted
Subject: FATCA Compliance - [redacted]
Importance: High

Dear Participants,

We are pleased to announce you that FATCA Compliance Institute is conducting a 2 day practical seminar on FATCA Compliance.

This seminar is going to be repeated and held thrice:
[redacted]

The seminar is open to all the Banking & Financial Professionals. The seminar particulars are attached with this mail.

Last date for enrolling your participation is [redacted], 2015.

Please contact for assistance.

Truly,
Rob Koster
Seminar Secretary
Tel:+31-800-020-0534(Netherlands and Other EU Countries) 
       +1-312-625-0112(All Other Countries)
FAX:+31-800-020-0534

And also..

 From: alfred@pacibankers.com [mailto:alfred@pacibankers.com]
Sent: Wednesday, February 11, 2015 11:50 AM
Subject: Asset Management Auditing and Internal Accounting Controls - [redacted]
Importance: High




Asset Management Auditing and Internal Accounting Controls - 2 Day Program

Dear Delegate
Pacific Standards (www.pacificstandards.com) would like to invite representatives from your organization to attend the above mentioned program scheduled for 2015. We are limiting the number of participants for each cluster to 20, as the courses are designed to be interactive and to encourage discussion and the exchange of ideas.

Program Dates:      Cluster I – February 25 - 26, 2015 
                                      Cluster II – March 9 - 10, 2015                                  
                                      Cluster III - March 18 - 19, 2015 
                                      Cluster IV- April 6 - 7, 2015
                                      Cluster V- April 15 - 16, 2015
                                 
Venue: {redacted}
We invite you to nominate individuals from your respective organization. It is also important to stress that all available slots will be filled on a first come first serve basis. Please advise your colleagues to attend and take advantage of this valuable and pivotal workshop.(Please see the attached brochure for complete course coverage).
Early Registration Deadline is February 15, 2015 
Last Date of Registration is February 17, 2015 


Looking forward for an early reply.

Thanks & Regards,
Alfred
Pacific Standards
Marketing Manager
Contact Number: +91-8801-990-204

Emails are sent from 159.253.145.90 (Softlayer, Netherlands). The registrant details look like this on most of the domains:
Registry Registrant ID:
Registrant Name: Ravindhar V
Registrant Organization:
Registrant Street: office:7, sushant lok , sushant estate
Registrant City: gugaon
Registrant State/Province: Haryana
Registrant Postal Code: 122002
Registrant Country: India
Registrant Phone: +91.9999960651
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: vravindhar@yahoo.com
Registry Admin ID:
The emails specifically target the finance sector with what appear to be relevant seminars and services, however once payment has been received there is reportedly no further communication and no seminars.

There are a large number of related sites, some using several different domains. There are virtually zero references to these "organisations" on Google, and a close examination of the sites shows several red flags.

Pacific Standards

Claiming to be in Singapore, but boasting an Indian phone number of +91-8801990204, this outfit claims to be part of "Grenoble Learning". Neither Pacific Standards nor Grenoble Learning actually appear to exist.


Domains used:
pacificstandards.com
pacibankers.com
pacific-compliance.com
pacificstan.cc
pacificstan.com
pacificstandards.org

Brown & Co

This claims to be based as 12 Flemington Street, Glasgow but quotes a US contact number of 1-800-BRO-CORP / 1-800-246-8115.  There are many, many companies in the UK with the name "Brown & Co", but where you would expect to see number 12 on that street.. there appears to be a car park.

Domains used:

beta-essentials.me
browncorpuk.org
browncorp.co
betaeventhub.org
betaeventhub.org
betaessentials.in

FATCA Compliance Institute

A quick Google search for "FATCA Compliance Institute" reveals exactly zero reliable references to this important-looking organisation, boasting contact details in both India and The Netherlands.
15-66 plot 101 Prabhu Nagar
Poranki 521137.
Tel:+31-800-020-0534(Netherlands and Other EU Countries)
FAX:+31-800-020-0534 (ONLY EU)
FAX: +31-20-524-1592 (ALL COUNTRIES)
USA Tel: +1-312-625-0112 (All other Countries)
Email: director@fatcacompliance.cc

Corporate Office:

Keizersgracht 209
1006 DT Amsterdam
The Netherlands
The Netherlands Toll-Free:
Tel:+31-800-020-0534
FAX:+31-800-020-0534

USA Tel: +1-312-625-0112 (All other Countries)
Email: director@fatcacompliance.cc

Domains used:

fatcacomplianceinstitute.org
fatcacomplianceinstitute.com
fatcacompliance.cc
fatcacompliance.net
fatcacompliance.org

Rightman Group

The web site here looks very slick. But if you Google for snippets of somewhat ungrammatical text (such as "But, one things remains unchanged – our dedication to doing the best work in the world.") you will find that there are hundreds of sites using the exact same template. Rightman Group has the following contact details listed:

Rightman Group
 United States
199 Scott Street
Suite 810
Buffalo, NY 14204
+1-716-217-2817
USA call charges apply.
---------
 Dreikönigstrasse 30
Zürich, Switzerland
----------
+41-43-508-1974 

The New York State Division of Corporations has no such company as "Rightman Group" listed.


Domains used:

rightmangroup.com
rightman.eu
rightman.cc
rightmangroup.net
rightmangroup.org

Swiss Dossier

I can only imagine that the name "Swiss Dossier" came about through an error in autotranslation. It lists several addresses:

info@swissdossier.com(General)
offices@swissdossier.com(Training Programs)

Tel:  +1-786-235-8424(USA)

Our Global offices are located at:
19th Floor, Prudential Towers(North Side)
Office no: 1901
Chulia Street
Singapore

Aeschenvorstadt, 405
Basel,
Switzerland

79 Thornall Street,
6th Floor, Edison, NJ 08837.
New Jersy
USA

70 Sheppard Avenue, Suite 301,
North York, Ontario M2N 3A4,
Canada

A Google search for "swissdossier.com" comes up with no independent and reliable references to this so-called company.


Domains used:

swissdossier.com
swissdossier.cc
swissdossier.com.co

Treasury Management Institute

According to Companies House in the UK, there is no company in the UK with the name "Treasury Management Institute". The contact details indicate that this is perhaps the workplace of John or Jane Doe:

Email : 
 jdoe@treasurymanagementinstitute.com
 jdoe@treasurymanagementinstitute.cc
Addresses:
01, Temple Quay, Temple Back East, Bristol, BS1 6DZ, UK
SWConsulting Group, Sec 42 Gurgaon, India(Institute operates under the licence of SWConsulting Group)
There are no independent references to this organisation existing in Bristol.


Domains used:

treasurymanagementinstitute.com
treasurymanagementinstitute.cc
treasurymanagementinstitute.org

Financial Models India

Sharing the same contact details as some of these other highly questionable sites, and hosted on the same infrastructure, Financial Models India would appear to fail the Duck Test.

79 Thornall Street,
6th Floor, Edison, NJ 08837,
New Jersy,
USA

19th Floor,
Prudential Towers (North Side),
Office no: 1901,
Chulia Street, Singapore

Aeschenvorstadt, 405,
Basel, Switzerland

70 Sheppard Avenue,
Suite 301, North York,
Ontario M2N 3A4,
Canada

DLF Square M Block,
Jacaranda Marg DLF City, Phase II,
Gurgaon 122002, INDIA  

Domains used:

financialmodelsindia.com
financialmodels.co.in
fmtsglobal.com
unitedcapital-financialmodels.com
unitedcapitalglobal.com

Virat World Wide

This appears to be the firm or individual behind these sites. The "About Us" page says:

Ravindhar.V - Managing Director

Mr. Ravindhar is an able administrator and change master. He has rich experience in thearea of Financial Information Technology(FIT). He has developed financial software products and Information Technology management solutions for financial institutions and banks in more than a fifty countries and for top global Banks and companies. His qualification is Master of Finance and Accounting with a track of computer applications in Finance and Accounting(MFA). Mr.Ravindhar comes from Business Family of Poranki Sugars and his family is a legacy of entrepreneurs based in India. Group is widely respected by the industry.
I'm guessing the the "V" stands for "Virat", making him "Ravindhar Virat". The contact details list an address in the... errr. UNITED KIGDOM.

Global Support
+919-618-921-876
customersupport@virat.consulting
120, CENTRAL STREET
CLERKENWELL
LONDON
UNITED KIGDOM
This address is actually a hotel. The +91 telephone number is a number in India, not the UK.


Domains used:

virat.consulting
virat-transitionalhunts.biz
virat-th.co.in

Other domains

The other domains (mostly now defunct or with no content) also appear to belong to the same operator:

financialmodelsglobal.net
fortunicia-munich.org

europiafintech.com
europiafintech.net

fisher-n-moreglobal.com
fishernmore-global.org
fmg-singapore.org

intrinsic-pulse.com
intrinsic-pulse.asia


baselknowledge.net
clarklc.com
luthanskane.in
panarab-consulting.in
porankisugars.org
profectuspartners-singapore.com
proximitycorp.org
rfb-research.net
sino-overseasholdings.org
stermarc-worldwide.com
vertasbar.net

If you have any experiences with any of these "companies", feel free to leave a comment.