Sponsored by..

Tuesday, 24 November 2015

Malware spam: FEDERAL RESERVE BANK

This spam does not come from the Federal Reserve Bank, but is instead a simple forgery with a malicious attachment:

From     "FDIC, Federal Reserve Bank"
Date     Tue, 24 Nov 2015 15:14:19 +0200
Subject     IMPORTANT!

FEDERAL RESERVE BANK

Important:
You are getting this letter in connection with new directive No. 172390635 issued
by U.S. Treasury Department, Federal Reserve and Federal Deposit Insurance Corporation
(FDIC). The directive concerns U.S. Federal Wire and ACH online payments.

We regret to inform you that from 11/24/2015 till 11/27/2015 definite restrictions
will be applied to all Federal Wire and ACH online transactions.

It's essential to know all the restrictions and the list of affected institutions.
The process of working with online transactions is mostly very tense, so it's possible
to overlook the applied restrictions, that may be very important for you.

More detailed information regarding the affected institutions and U.S. Treasury Department
restrictions is contained in the attached document.

Federal Reserve Bank System Administration

Alternative headers:
From    U.S. FRBank [admin@frb.com]
Date    24 November 2015 at 12:59
Subject    Attention!FED Wire and ACH Restrictions Applied!
From     FEDERAL RESERVE BANK [admin@usfrb.com]
Date     Tue, 24 Nov 2015 21:33:45 +0300
Subject     FED Wire and ACH Restrictions. IMPORTANT!

From     "USA FEDERAL RESERVE BANK" [security@frbservices.com]
Date     Tue, 24 Nov 2015 10:59:40 -0500
Subject     U.S. Treasury Department. FED Wire and ACH Restrictions Applied.

 Attached is an Excel file made up of part of the recipient's domain name plus a random number. So far I have seen two samples of this (VirusTotal [1] [2]) the latter of which is corrupt. The woirking one contains a macro that looks like this.

According to this Malwr report, the macro respectively POSTs and GETs from the following URLs:

rmansys.ru/utils/inet_id_notify.php
s01.yapfiles.ru/files/1323961/435323.jpg

Also, network communication is made with two other IPs, giving the following potentially malicious hosts:

185.26.97.120 (First Colo / Fornex, Germany)
90.156.241.111 (Masterhost, Russia)
89.108.101.61 (Agava Ltd, Russia)
95.27.132.170 (Beeline Broadband, Russia)


That .JPG file is actually an executable with a detection rate of 5/55. The Hybrid Analysis report shows all sorts of interesting things going on, but no clue as to what the purpose of the malware actually is. Those reports and this Malwr report shows some additional traffic:

217.197.126.52 (e-Style ISP, Russia)
88.147.168.112 (Volgatelecom, Russia)


According to this Malwr report it drops all sorts of files including _iscrypt.dll [VT 0/54] and 2.exe [VT 2/54] which is analysed in this Malwr report and this Hybrid Analysis report. It is unclear as to what it does (ransomware? remote access trojan?), but it appears that the installation may be password protected.

MD5s:
dfe5c17d74d5827df48395561ff2df58
132e53dcc20c8c2ebbec669d2764c182
832d9cc537e52e220a58a0f47069a315


Recommended blocklist:
185.26.97.120
90.156.241.111
89.108.101.61
95.27.132.170
217.197.126.52
88.147.168.112
217.19.105.3

UPDATE

This Hybrid Analysis report shows various web pages popping up from the Excel spreadsheet, including MSN and Lidl. The purpose of this is unknown.

Malware spam: "Abcam Despatch [CCE5303255]" / orders@abcam.com

I don't have the body text to this particular message, but it is not actually from Abcam. Instead it is a simple forgery with a malicious attachment.
From     orders@abcam.com
Date     Tue, 24 Nov 2015 13:48:14 +0300
Subject     Abcam Despatch [CCE5303255]
The attachment name is invoice_1366976_08-01-13.xls and it comes in at least two versions (VirusTotal [1] [2]) containing a malicious macro like this [pastebin] which downloads from the following locations (there may be more):

biennalecasablanca.ma/7745gd/4dgrgdg.exe
villmarkshest.no/7745gd/4dgrgdg.exe


This binary has a detection rate of 2/55 and phones home to the following IPs (according to this):

157.252.245.32 (Trinity College Hartford, US)
89.108.71.148 (Agava Ltd, Russia)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)


MD5s:
00ac8683e56102928e825f8d71b15473
2e22d61bed8c1aafaef7700c5b1f26c2
87f0a43f81efa9fb3ff26b83ec831248

Recommended blocklist:
157.252.245.32
89.108.71.148
89.32.145.12


Malware spam: "Scan as requested" / "Melissa O'Neill" [adminoldbury@newhopecare.co.uk]

This fake document scan does not come from New Hope Specialist Care but is instead a simple forgery with a malicious attachment:

From     "Melissa O'Neill" [adminoldbury@newhopecare.co.uk]
Date     Tue, 24 Nov 2015 07:11:00 -0300
Subject     Scan as requested

Regards


Paulette Riley

Administrator

New Hope Specialist Care Ltd
126 Brook Road
Oldbury
West Midlands
B68 8AE

tel: 0121 552 1055
mobile: 07811 486 270
fax: 0121 544 7104


* PLEASE CONSIDER THE ENVIRONMENT BEFORE PRINTING THIS EMAIL *


This is an email from New Hope Specialst Care Ltd. The information contained
within this message is intended for the addressee only and may contain
confidential and/or privilege information. If you are not the intended
recipient you may not peruse, use, disseminate, distribute or copy this
message. If you have received this message in error please notify the sender
immediately by email or telephone and either return or destroy the original
message. New Hope Specialsit Care Ltd accept no responsibility for any
changes made to this message after it has been sent by the original author.
The views contained herein do not necessarily represent the views of New
Hope Specialist Care Ltd This email or any of its attachments may contain
data that falls within the scope of the Data Protection Acts. You must
ensure that handling or processing of such data by you is fully compliant
with the terms and provisions of the Data Protection Act 1984 and 1988

---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com

Attached is a file 20151009144829748.doc of which I have seen two versions (VirusTotal results [1] [2]) and which contain a macro like this [pastebin].

Analysis of these documents is pending, but the payload is likely to be the Dridex banking trojan.

Frustratingly, it looks like the web host has suspended newhopecare.co.uk which is not helpful in these circustances, as it stops the victim company from posting a warning.


UPDATE

These two Hybrid Analysis reports [1] [2] show a download from the following locations:

www.costa-rica-hoteles-viajes.com/~web/7745gd/4dgrgdg.exe
janaduchanova.wz.cz/7745gd/4dgrgdg.exe


This has a VirusTotal detection rate of 4/55. That VT analysis and this Malwr analysis and these two Hybrid Analysis reports [1] [2] show network traffic to:

157.252.245.32 (Trinity College Hartford, US)
89.108.71.148 (Agava Ltd, Russia)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)
88.86.117.153 (SuperNetwork, Czech Republic)


MD5s:
06c1c0a6d5482b93737f9ce250161b82
3368d7d4f48d291ee0f4ae7c81dd73a6
15fcf405b726379c6efabc89d6e0ceac


Recommended blocklist:
157.252.245.32
89.108.71.148
89.32.145.12
88.86.117.153



Monday, 23 November 2015

Malware spam: "UKMail 988271023 tracking information" / no-reply@ukmail.com

NOTE:  as of 22nd January 2016, a new version of this spam email is in circulation, described here.

This fake delivery email does not come from UKMail but is instead a simple forgery with a malicious attachment:

From:    no-reply@ukmail.com
Date:    23 November 2015 at 11:06
Subject:    UKMail 988271023 tracking information

UKMail Info!
Your parcel has not been delivered to your address November 23, 2015, because nobody was at home.
Please view the information about your parcel, print it and go to the post office to receive your package.

Warranties
UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service.
Where the law prevents such exclusion and implies conditions and warranties into this contract,
where legally permissible the liability of UKMail for breach of such condition,
guarantee or warranty is limited at the option of UKMail to either supplying the Service again or paying the cost of having the service supplied again.
If you don't receive a package within 30 working days UKMail will charge you for it's keeping.
You can find any information about the procedure and conditions of parcel keeping in the nearest post office.

Best regards,
UKMail

The attachment is named 988271023-PRCL.doc and so far I have come across three different versions of this (VirusTotal results [1] [2] [3]), containing a malicious macro like this [pastebin] which according to these Hybrid Analysis reports [4] [5] [6] downloads a malware binary from the following locations:

www.capodorlandoweb.it/u654g/76j5h4g.exe
xsnoiseccs.bigpondhosting.com/u654g/76j5h4g.exe
cr9090worldrecord.wz.cz/u654g/76j5h4g.exe


This binary has a VirusTotal detection rate of 5/54. That VirusTotal report plus this Hybrid Analysis report and Malwr report indicate malicious traffic to the following IPs:

157.252.245.32 (Trinity College Hartford, US)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)
89.108.71.148 (Agava Ltd, Russia)
91.212.89.239 (UZINFOCOM, Uzbekistan)
89.189.174.19 (Sibirskie Seti, Russia)
122.151.73.216 (M2 Telecommunications, Australia)
37.128.132.96 (Memset Ltd, UK)
195.187.111.11 (SGGW, Poland)
37.99.146.27 (Etihad Atheeb Telecom Company, Saudi Arabia)
77.221.140.99 (Infobox.ru, Russia)
195.251.145.79 (University Of The Aegean, Greece)


The payload is likely to be the Dridex banking trojan.

MD5s:
37f025e70ee90e40589e7a3fd763817c
3e25ba0c709f1b9e399e228d302dd732
e6f1003e4572691493ab1845cb983417
5b6c01ea40acfb7dff4337710cf0a56c

Recommended blocklist:
157.252.245.32
89.32.145.12
89.108.71.148
91.212.89.239
89.189.174.19
122.151.73.216
37.128.132.96
195.187.111.11
37.99.146.27
77.221.140.99
195.251.145.79

Malware spam: "Employee Documents – Internal Use" / Employee Documents(1928).xls

This spam appears to come from the "HR@" email address in the potential victim's own domain, but it is instead a simple forgery with a malicious attachment.

From: HR@victimdomain
To: victim@victimdomain
Subject: Employee Documents – Internal Use
Date: Mon, 23 Nov 2015 16:23:41 +0530

Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: Quoted-Printable

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Employee Documents

DOCUMENT LINK: [Link removed]
Attached is a file Employee Documents(1928).xls although I have had some difficulty acquiring a copy. However, my sources tell me that there are three different versions downloading from the following locations:

kunie.it/u654g/76j5h4g.exe
oraveo.com/u654g/76j5h4g.exe
www.t-tosen.com/u654g/76j5h4g.exe

The downloaded binary has a detection rate of just 1/54. That VirusTotal report and this Hybrid Analysis report show network connections to the following IPs:

89.108.71.148 (Agava Ltd, Russia)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)
157.252.245.32 (Trinity College Hartford, US)


The payload is probably the Dridex banking trojan.

MD5s:
127f12a789c145ed05be36961376999e
c57bc09009a925a02fde6a6b58f988b3
bb62d7bc330a2e2452f773500428574c
a178d8d94238977b0c367dc761d9c7de


Recommended blocklist:
89.108.71.148
89.32.145.12
157.252.245.32



Friday, 20 November 2015

Malware spam: "Reprint Document archive" / "tracey.beedles@eurocarparts.com"

This fake financial spam does not come from Euro Car Parts but is instead a simple forgery with a malicious attachment.

From     tracey.beedles@eurocarparts.com
Date     Fri, 20 Nov 2015 18:49:06 +0700
Subject     Reprint Document archive

Attached is a Print Manager form.
Format = Word Document Format File (DOC)
The attachment is named pmB3A6.doc and it comes in at least four different versions (VirusTotal results [1] [2] [3] [4]) and it contains a malicious macro like this [pastebin] which according to these Hybrid Analysis results [5] [6] [7] [8] downloads a malicious binary from one of the three following locations:

pr-clanky.kvalitne.cz/65y3fd23d/87i4g3d2d2.exe
buzmenajerlik.com.tr/65y3fd23d/87i4g3d2d2.exe
irisbordados.com/65y3fd23d/87i4g3d2d2.exe


This executable has a detection rate of 4/52 and according to that VT report and this Malwr report there is network traffic to:

157.252.245.32 (Trinity College Hartford, US)
89.32.145.12 (Elvsoft SRL, Romania / Coreix, UK)


Interesting, if you look at the Hybrid Analysis report and others, the executable masquerades as mbar.exe / Malwarebytes Anti-Rootkit. The payload is most likely to be the Dridex banking trojan.


Recommended blocklist:
157.252.245.32
89.32.145.12


MD5s:
ee5be0095669fb4456d2643359a174be
236244800e8f00d98a30d7d073ca3b41
e5413387decf22d3dfe3c899e43e6c25
e23b22e8bf2c97dbadd4eaa1e4e6fa21
4bd1b0bcc9bbf1889ccbd0ca0f82d5b5

Malware spam: "Jean Pierre Kibung" / "0150363108788101_02416060_1.xls"

This spam looks like an advanced free fraud, but instead it comes with a malicious attachment. The email appears to originate from within the victim's own domain, but this is a simple forgery and does not mean that you have been hacked.

From:    Jean Pierre Kibungu [jpie.kibungu@victimdomain]
Date:    20 November 2015 at 09:56
Subject:    0150363108788101_02416060_1.xls

Please find attached the swift of the transfer of $30000.

Kind regards
Jean Pierre Kibungu

INCAT


JEAN PIERRE KIBUNGU AVAR-DA-VISI
GENERAL MANAGER
INCAT OILFIELD LOGISTICS (DRC) LTD
Site:
Mob: + 243 998 01 95 01
Headoffice:
Tel.  +44(0) 1534 758859
Fax: +44(0) 1534 758834
The telephone number does match that of a genuine company in Jersey, but they are not sending this spam. The attachment is named 0150363108788101_02416060_1.xls and so far I have seen just one version of this with a VirusTotal detection rate of 4/53. It contains this malicious macro [pastebin].

Analysis of the spreadsheet is pending, but the payload is almost definitely the Dridex banking trojan.

UPDATE

Sources tell me there are at least two variants with download locations of:

betterimpressions.com/~impressions/65y3fd23d/87i4g3d2d2.exe
192.186.227.64/~irma1026/65y3fd23d/87i4g3d2d2.exe


This has an MD5 of d410a45dc4710ea0d383dee81fbbcb6f and a VirusTotal detection rate of 4/52. According to that VirusTotal report and this Malwr report, it makes a network connection to:

157.252.245.32 (Trinity College, US)

I strongly recommend that you block traffic to that IP.


Thursday, 19 November 2015

Malware spam: "Invoice and VAT Receipt EDMUN11118_181859 [Account:EDMUN11118]" / "support@postcodeanywhere.com"

This spam is not from postcodeanywhere.com but is instead a simple forgery with a malicious attachment. Unfortunately, I don't have the body text of the message, the hreaders are:

From     support@postcodeanywhere.com
Date     Thu, 19 Nov 2015 16:20:40 +0300
Subject     Invoice and VAT Receipt EDMUN11118_181859 [Account:EDMUN11118]
The attachment is EDMUN11118_181859.xls which comes in two different versions (VirusTotal results [1] [2]) which according to these Hybrid Analysis reports [3] [4] download a file from one of the following locations:

iwcleaner.co.uk/8i65h4g53/o97i76u54.exe
lapelsbadges.com//8i65h4g53/o97i76u54.exe [file not found]


This has a VirusTotal detection rate of 1/54 and that VirusTotal report indicates it phoning home to:

182.93.220.146 (Ministry Of Education, Thailand)

I strongly recommend that you block that IP address. The payload is the Dridex banking trojan.

MD5s
8e22032e0b5d338ef078f5aaf302fa4c
63e22e87b78f6f82d437c7b622a84945
8aba2ca4fd785759ad2ad262d9c62d2f







Malware spam: "Your Google invoice is ready" / "billing-noreply@google.com"

This fake invoice does not come from Google, but is instead a simple forgery with a malicious attachment:

From:    billing-noreply@google.com
Date:    19 November 2015 at 12:40
Subject:    Your Google invoice is ready

Attached to this email, please find the following invoice:

Invoice number: 1630884720
Due date: 19-Nov-2015
Billing ID: 34979743806


Please follow instructions on the invoice for remitting payment. If you have questions, please contact collections-uk@google.com.

Yours Sincerely,
The Google Billing Team


--------------------------
Billing ID: 0349-7974-3806
The attachment is named 1630884720.doc which comes in at least two versions (VirusTotal analysis [1] [2]) and which contains a malicious macro like this [pastebin]).

Analysis of the documents is still pending (please check back), although the payload is almost definitely the Dridex banking trojan.

UPDATE

The Hybrid Analysis of the two documents [1] [2] shows attempted downloads from the following locations:

bhoomiconsultants.com/8i65h4g53/o97i76u54.exe [active]
bhairavraffia.com/8i65h4g53/o97i76u54.exe [file not found]


This binary has a detection rate of 1/54 and those reports indicate malicious network traffic to the familiar IP address of:


182.93.220.146 (Ministry of Education, Thailand)

I strongly recommend that you block traffic to that IP.

Malware spam: "[Shipping notification] N3043597 (PB UK)" / "noreply@cevalogistics.com"

This rather terse spam does not come from Ceva Logistics but is instead a simple forgery with a malicious attachment.

From:    noreply@cevalogistics.com
Date:    19 November 2015 at 10:27
Subject:    [Shipping notification] N3043597 (PB UK)
There is no body text and the "N" number is randomly generated. All samples I have seen contain a file called shipping-notification.xls which is in the same in all cases, containing this malicious macro [pastebin] and it has a VirusTotal detection rate of 2/54. The comments on that VirusTotal report plus this Hybrid Analysis report indicate a malicious binary is downloaded from:

iwcleaner.co.uk/8i65h4g53/o97i76u54.exe

This has an MD5 of e0d24cac5fb16c737f5f016e54292388 and a detection rate of 2/54 and this Hybrid Analysis report shows malicious traffic to the following IP (which I recommend you block):

182.93.220.146 (Ministry of Education, Thailand)


The payload is almost definitely the Dridex banking trojan.

Wednesday, 18 November 2015

Mystery "INTUIT QuickBooks" spam leads to unknown malware

This fake Intuit spam leads to malware:

From:    QuickBooks [qbsupport@services.intuit.com]
Date:    18 November 2015 at 14:34
Subject:    INTUIT QuickBooks                                                                                           
QuIckBooks.

As of November 5th, 2015, we will be updating the browsers we support. We encourage you to upgrade to the latest version for the best online experience. Please proceed the following link, download and install the security update for all supported browsers to be on top with INTUIT online security!

InTuIT. | simplify the business of life

© 2015 Intuit Inc. All rights reserved. Intuit and QuickBooks are registered trademarks of Intuit Inc. Terms and conditions, features, support, pricing, and service options subject to change without notice. 

The link in the email goes to:

kompuser.com/system/logs/update/doc.php?r=download&id=INTUIT-Browser-up1247.zip

This downloads a file INTUIT-Browser-up1247.zip which in turn contains a malicious executable up1247.exe (MD5 563a1f54b9d90965951db0d469ecea6d) which has a VirusTotal detection rate of 2/54. That VirusTotal report and this Hybrid Analysis report show that the malware POSTs data to:

onbrk.in/p7yqpgzemv/index.php

The Malwr report is inconclusive. The payload is unknown, however all of the following domains share the same nameservers and have also been used for malicious activity going back to August.

exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net

The malicious .in domain is hosted on the following IPs:

31.210.116.68 (Veri Merkezi Hizmetleri A.s., Turkey)
188.247.102.215 (DataGroup Dnepr, Ukraine)
89.163.249.75 (myLoc managed IT AG, Germany)
95.173.164.212 (Netinternet Bilgisayar ve Telekomunikasyon San. ve Tic. Ltd. Sti., Turkey)


Recommended blocklist:
31.210.116.68
188.247.102.215
89.163.249.75
95.173.164.212

kompuser.com
onbrk.in
exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net

UPDATE:
This entry at MalwareURL links the namesevers to the Nymaim ransomware.

Malware spam: "Receipt" / "Mike" [mike@xencourier.co.uk]

This fake financial spam does not come from Xen Courier but is instead a simple forgery with a malicous attachment:

From     "Mike " [mike@xencourier.co.uk]
Date     Wed, 18 Nov 2015 14:46:28 +0200
Subject     Receipt

Hi

Here is your credit card receipt attached. VAT invoice to follw in due
course.

Best regards

Mike

---
This email is free from viruses and malware because avast! Antivirus protection is
active.
http://www.avast.com
Despite the disclaimer, this is in no way free of viruses. Instead, it has a malicious attachment scan0001.xls which appears to come in at least three different versions with the following MD5s:

b8f5c889658cac07e810998aaa582d76
798c8a2a2d2fb658d4cea1fd60aff6b9
4592d152fcd1c3ea128b7b9e7224bf69


These contain a malicious macro that looks like this [pastebin] and the documents themselves have a VirusTotal detection rate of around 10/55 [1] [2] [3] and which according to these Hybrid Analysis reports [4] [5] [6] they attempt to download a malicious binary from the following locations:

www.eurocontainers.it/h64gf3/89j6cx.exe
www.asnp.it/h64gf3/89j6cx.exe
www.samsoncontrols.co.uk/h64gf3/89j6cx.exe [file not found]


This binary has a detection rate of 7/54 and that VirusTotal report and this Malwr report both indication malicious network traffic to:

203.172.180.195 (Ministry Of Education, Thailand)

That binary has the MD5 of:

6581b83c82ef4a2d940976a47550fb2c

 The payload is likely to be the Dridex banking trojan.

Monday, 16 November 2015

Malware spam: "DoT Payment Receipt" / "donotreply@transport.gov.uk"

This fake financial spam has a malicious attachment:

From: donotreply@transport.gov.uk [mailto:donotreply@transport.gov.uk]
Sent: Monday, November 16, 2015 12:10 PM
To: redacted
Subject: DoT Payment Receipt

[Automated message. Do not reply]

Thank you for your payment.  It is important that you print this receipt and record the receipt number as proof of your payment. You may be asked to provide your receipt details should you have an enquiry regarding this payment.

DISCLAIMER

This email and any attachments are confidential and may contain legally privileged and/or copyright material.  You should not read, copy, use or disclose any of the information contained in this email without authorisation.  If you have received it in error please contact us at once by return email and then delete both emails.  There is no warranty that this email is error or virus free.

I haven't seen this myself, but some contacts (thank you!) have. Attached is a file PaymentReceipt.xls which comes in several different versions, the sample I saw contained this malicious macro and had a VirusTotal detection rate of 5/54. According to my sources, the different versions download a malicious binary from one of the following:

gospi.eu/~gospi/45yfqfwg/6ugesgsg.exe
piotrektest.cba.pl/45yfqfwg/6ugesgsg.exe
wmdrewniana8.cba.pl/45yfqfwg/6ugesgsg.exe
www.kolumbus.fi/~kf0963/45yfqfwg/6ugesgsg.exe


This binary has a detection rate of 3/53 and that VirusTotal report and this Malwr report indicates malicious traffic to:

182.93.220.146 (Ministry Of Education, Thailand)
78.47.66.169 (Hetzner, Germany)
89.108.71.148 (Agava, Ltd)
221.132.35.56 (Post And Telecom Company, Vietnam)


The payload is the Dridex banking trojan.

MD5s:

e25a05d3fecceb14667048c07494d65f 
32f3495cb945448a9868c5fe653b8d7e
a5dd075bd48d16a3ad13c06651b0af10
ef3805be4797271a2a9c8552f77866c1
f2b78be5e8b52976f69b076338757146

Recommended blocklist:
cba.pl
182.93.220.146
78.47.66.169
89.108.71.148
221.132.35.56

Thursday, 12 November 2015

Malware spam: "FYI: INTERAC e-Transfer to Guillaume Davis accepted" / "Bank of Montreal [notify@payments.interac.ca]"

This fake financial spam leads to malware:

From:    Bank of Montreal [notify@payments.interac.ca]
Date:    30 September 2015 at 13:34
Subject:    FYI: INTERAC e-Transfer to Guillaume Davis accepted

Dear Customer

The INTERAC e-Transfer for $2997.60 (CAD) you sent to Guillaume Davis was accepted. The transfer is now complete.

Recipient's message:  A message was not provided

Thank you for using Bank of Montreal INTERAC e-Transfer Service.

Please follow the link below to download the transaction details:

https://storage-usw-11.sharefile.com/download.ashx?dt=dt7c26b2a7994b4070a947e9cd285718bb&h=u4fdqSy4IS59j0nzAr6RzZtYbrne3JpDFwd4YfEKKM0%3d
The link in the email downloads a file INTERAC e-Transfer transaction details.doc which has a VirusTotal detection rate of just 1/53. Analysis of the malicious code within the downloaded document is pending, however the use of sharefile.com is consistent with the delivery of the Dyre banking trojan.

Malware spam: "Invoice" / "Debbie Haydon [debbie@mvmilk.co.uk]"

This fake financial spam does not come from MV Milk but is instead a simple forgery with a malicious attachment:

From     Debbie Haydon [debbie@mvmilk.co.uk]
Date     Thu, 12 Nov 2015 18:04:10 +0700
Subject     Invoice

Thank you for your order.  Your Invoice - V414980 - is attached.

As agreed this invoice will NOT be sent via post.

If you have any questions regarding the attached invoice please telephone our office
on 01708 688422.

kind regards
Attached is a malicious Excel file named V414980.XLS, which is the same payload as found in this spam run also happening today.

Malware spam: "Remittance Advice" / "AccountsPayable@Norfolk.gov.uk"

This fake financial spam does not come from Norfolk County Council but is instead a simple forgery with a a malicious attachment:

From     AccountsPayable@Norfolk.gov.uk
Date     Thu, 12 Nov 2015 14:09:46 +0430
Subject     Remittance Advice

Dear Sir/Madam,

Please find attached your remittance advice.

Regards,
NCC

--
To see our email disclaimer click here http://www.norfolk.gov.uk/emaildisclaimer
Attached is a file 6134443_101115_141851.xls which apparently comes in two or three versions, although I have only seen one with a VirusTotal detection rate of 3/54 and containing this malicious macro.

These documents then download a malicious binary from:

aniretak.wz.cz/5t546523/lhf3f334f.exe
sanoko.jp/5t546523/lhf3f334f.exe

 www.delianfoods.com/5t546523/lhf3f334f.exe

This binary has a VirusTotal detection rate of 3/54, and that report plus this Hybrid Analysis report show malicious traffic to:

95.154.203.249 (Iomart Hosting / Rapidswitch, UK)
182.93.220.146 (Ministry of Education, Thailand)

The payload is the Dridex banking trojan.

Recommended blocklist:
95.154.203.249
182.93.220.146

MD5s:
289af95f99f58c751a7d1d0a26d7cdb3
becb1cdbd1c1aea53260c2ed96eb6ee2
d020bfed9f93636114b9736100a9b59f
5173aaa2f5aa40df7ffa772eeaa0d1f7




Wednesday, 11 November 2015

Malware spam: "Refund from Bowater Incorporated" / PayPal

This fake PayPal email leads to malware:

From:    service@paypal.co.uk
Date:    11 November 2015 at 16:27
Subject:    Refund from Bowater Incorporated

PayPal

Bowater Incorporated has just sent you a refund

Wed, 11 Nov 2015 17:27:26 +0100
Transaction ID: 47E30904DC4145388
Dear Customer,
Bowater Incorporated has just sent you a full refund of £7849.90 GBP for your purchase.
If you have any questions about this refund, please contact Bowater Incorporated
The refund will go to your PayPal account. It may take a few moments for this transaction to appear in your account.
To see all the transaction details, please download and view from the link below.
https://www.paypal.com/uk/cgi-bin/webscr?cmd=view-a-trans&id=47E30904DC4145388
Merchant information
Bowater Incorporated
Note from merchant
None provided




Original transaction details
Description Unit price Qty Amount
Purchase from Bowater Incorporated £7849.90 GBP 1 £7849.90 GBP
Insurance: ----
Total: £7849.90 GBP
Refund to PayPal Balance: £7849.90 GBP
Invoice Number: 59266315
Yours sincerely,
PayPal
Please do not reply to this email because we are not monitoring this inbox. To get in touch with us, log in to your account and click "Contact Us" at the bottom of any page.
Copyright Š 1999-2015 PayPal. All rights reserved.

PayPal (Europe) S.a.r.l. et Cie, S.C.A.
Societe en Commandite par Actions
Registered office: 64-75 Boulevard Royal, L-3369 Luxemburg
RCS Luxemburg B 205 162
PayPal Email ID PP1479 - nsjwiqin1ob5c

The link in the email goes to a download location at sharefile.com which leads to a file transaction details.zip containing a malicious executable transaction details.scr.

This binary has a VirusTotal detection rate of just 1/55. The Hybrid Analysis report shows network traffic consistent with Upatre download the Dyre banking trojan. One key IP address in 197.149.90.166 (Cobranet, Nigeria) which is well worth blocking.

MD5:
28989811c6b498910637847d538e43bf

Malware spam: "Invoice SI823610 from OfficeFurnitureOnline.co.uk Order Ref 4016584" / "accounts@equip4work.co.uk"

This fake invoice does not come from OfficeFurnitureOnline.co.uk but is instead a simple forgery with a malicious attachment.
From     accounts [accounts@equip4work.co.uk]
Date     Wed, 11 Nov 2015 14:54:33 +0400
Subject     Invoice SI823610 from OfficeFurnitureOnline.co.uk Order Ref 4016584

Please find attached a sales invoice from OfficeFurnitureOnline.co.uk.

This email address is only for account enquiries, please check your confirmation
for any information regarding the order details or delivery lead times.

Thank you for your order.
Attached is a file SI823610.XLS which I have seen only one version of in several samples of the email. Usually there are different variants. In this case, the spreadsheet contains this malicious macro [pastebin] and has a VirusTotal score of 4/54. According to this Hybrid Analysis report it then downloads a malicious binary from:

kdojinyhb.wz.cz/87yte55/6t45eyv.exe

In turn, this binary has a detection rate of zero. Those two reports plus this Malwr report show between them malicious traffic to the following IPs:

95.154.203.249 (Iomart / Rapidswitch, UK)
182.93.220.146 (Ministry Of Education, Thailand)
89.32.145.12 (Elvsoft SRL / Coreix , Romania / UK)


The payload is the Dridex banking trojan.

Recommended blocklist:
95.154.203.249
182.93.220.146
89.32.145.12
wz.cz

MD5s:
37ceca4ac82d0ade9bac811217590ecd
01638daf6dfb757f9a27b3e8124b3324


Tuesday, 10 November 2015

Malware spam: "Itinerary #C003NS39" / "no-reply@clicktravel.com "

This rather terse fake business spam does not come from Click Travel but is instead a simple forgery with a malcious attachment:

From: no-reply@clicktravel.com [mailto:no-reply@clicktravel.com]
Sent: Tuesday, November 10, 2015 11:21 AM
Subject: Itinerary #C003NS39

Please see document attached

Attached is a file Hotel-Fax-V0045G2B_8308427510989318361.xls which contains this malicious macro [pastebin] which (according to this Hybrid Analysis report) downloads a component from:

www.clemenciaortiz.com/87yte55/6t45eyv.exe

So far I have only seen one sample of this, there are likely to be others with different download locations but the same binary. This executable file has a detection rate of 2/55 and that VirusTotal report and this Malwr report indicate traffic to the following IP:

89.108.71.148 (Agava Ltd, Russia)

I strongly recommend blocking traffic to that IP address. The payload is the Dridex banking trojan.

MD5s:
2845499946fd5882f94cc9a4375b364a
2acc52daffb0c66998a84f5a3c57f193

Monday, 9 November 2015

Malware spam: "OUTSTANDING INVOICES" / "Steve McDonnell" [stevem@resimac.co.uk]

This fake financial email does not come from Resimac but is instead a simple forgery with a malicious attachment.

From     "Steve McDonnell" [stevem@resimac.co.uk]
Date     Mon, 09 Nov 2015 18:24:23 +0530
Subject     OUTSTANDING INVOICES

Dear,

Please find attached invoices 1396 & 1406 which are now outstanding.

I should be grateful if you would let me know when they are going to be paid.

Kind Regards
Steve McDonnell
Company Secretary

Resimac Ltd
Unit 11, Poplars Industrial Estate
Wetherby Road, Boroughbridge
North Yorkshire, YO51 9HS
UNITED KINGDOM
Tel: +44 (0) 1423 325073
Web: www.resimacsolutions.com

We are members of...

MIB Vertical logo stacked - Bottom - North East
NOF Logo
I have only seen a single sample of this with an attachment named Invoices001396,1406-11.2015.xls which has a VirusTotal detection rate of 3/54  and which contains this malicious macro [pastebin] which (according to this Hybrid Analysis report) in this case downloads a binary (very slowly!) from:

www.davidcaballero.com/87yte55/6t45eyv.exe

The VirusTotal detection rate for this binary is 3/55. That report indicates network traffic to:

89.108.71.148 (Agava Ltd, Russia)

Other analyses are pending, however I strongly recommend that you block traffic to that IP. The paylaod is likely to be the Dridex banking trojan.

MD5s:
b227c91fbc1ba56e9f01ab4f1e2e502f
25e28f3ffc62bb55131b312d99c8f33b

UPDATE:
This Malwr report also shows traffic to the same IP address.

Malware spam: Random Name shared "Amendment or the Agreement_09-11-2015.zip" with you

This fake Dropbox spam appears to come from randomly-generated people..

From:    Sandy Schmitt via Dropbox [no-reply@dropbox.com]
Date:    9 November 2015 at 11:41
Subject:    Sandy Schmitt shared "Amendment or the Agreement_09-11-2015.zip" with you
   
Sandy used Dropbox to share a file with you!

Click here to view.

The link in the email actually goes to sharefile.com where it downloads a file Amendment or the Agreement_09-11-2015.zip containing a malicious execitable Amendment or the Agreement_09-11-2015.scr which has a VirusTotal detection rate of 2/54.

Automated analysis is inconclusive [1] [2] but you can guarantee that this is nothing good. Because of the low detection rates, it might be worth temporarily blocking sharefile.com.

MD5s:
386426E5633B120C3A0E2F605AF42433
2E12D164F40C95284DE13D175DB9BDE2

UPDATE:

My sources (thank you!) say that this is Upatre dropping the Dyre banking trojan, dropping a DLL with a 2/55 detection rate. The comments in that report also contain a list of IP address that you might want to block.


Friday, 6 November 2015

Malware spam: "Payment Notification" / "Sarah Jeffes [messages.4143072.154255.7c0a97a59f@messages.netsuite.com]"

This fake financial spam has a malicious attachment:

From:    Sarah Jeffes [messages.4143072.154255.7c0a97a59f@messages.netsuite.com]
Date:    6 November 2015 at 11:55
Subject:    Payment Notification

Dear Supplier,

Please find attached remittance advice for payment to be processed in your account today.

Kind Regards,
Accounts
Kind Regards Macarthur Gas Pty Ltd.

Attached is a file Bill Payment_00001081_8.xls which in the samples I have seen is identical to the payload of this other spam run going on today.

Malware spam: "Invoice #00004232; From Timber Solutions" / "Kes [kerryadamson@bigpond.com]"

This fake invoice does not come from Timber Solutions but is instead a simple forgery with a malicious attachment:
From:    Kes [kerryadamson@bigpond.com]
Date:    6 November 2015 at 11:07
Subject:    Invoice #00004232; From Timber Solutions

Hi, please find attached our invoice for goods ordered under Order
No. 11146, which will be delivered tomorrow.  Please pay into the
account, details of which are at the foot of the invoice.  Kes
Attached is a file ESale.xls which I have seen just a single variant of across multiple emails. This has a VirusTotal detection rate of 3/54 and contains this malicious macro [pastebin], which (according to this Hybrid Analysis report) downloads a binary from:

advancedgroup.net.au/~incantin/334g5j76/897i7uxqe.exe

..this is saved as %TEMP%\tghtop.exe and has a detection rate of... errr.. zero. Automated analysis of this binary [1] [2] shows network traffic to:

89.108.71.148 (Agava Ltd, Russia)

I strongly recommend that you block traffic that that IP. The payload is most likely to be the Dridex banking trojan.

MD5s:
39fe24d2055f88cff39e27abd7dc5132
6c21a09c80e076ec5b60b7415135ae7a


Malware spam: "Your latest e-invoice from TNT 4677602495 2722813" / "eInvoicing" [groupadminstubbinsDONOTREPLY@tnt.com]

This fake financial invoice does not come from TNT but is instead a simple forgery with a malicious attachment:

From     "eInvoicing" [groupadminstubbinsDONOTREPLY@tnt.com]
Date     Fri, 6 Nov 2015 12:53:01 +0200
Subject     Your latest e-invoice from TNT 4677602495 2722813

PLEASE DO NOT RESPOND - Emails to this address are not monitored or responded to.

Please find attached your TNT Invoice. Please note that our standard payment terms
require cleared funds in our account by the 15th of the month following the month
of invoice.

IMPORTANT CONTACT DETAILS

To register an invoice query please contact us at ukinvoicequeries@tnt.co.uk

To forward a remittance advice or confirm payment please contact us at tntuk.cash.allocation@tnt.com

To set up a Direct Debit plan please contact us at tntdirectdebit@tnt.co.uk

For quick and easy access to your invoices simply log in using your user name and
password to https://express.tnt.com/eInvoicing and you'll be able to view and download
your electronic invoices immediately.

If you have forgotten your user name or password please follow the above link where
you will be able to reset your log-in details. If you are experiencing any technical
issues with your e-Invoicing account please contact us at ukeinvoice@tnt.co.uk

Rest assured, we operate a secure system, so we can confirm that the invoice PDF
originates from TNT and is authenticated with a digital signature. Thank you for
using e-invoicing with TNT the smarter, faster, greener way of processing invoices.

---------------------------------------------------------------------------------------------------------------
This message and any attachment are confidential and may be privileged or otherwise
protected from disclosure.
If you are not the intended recipient, please telephone or email the sender and delete
this message and any attachment from your system.
If you are not the intended recipient you must not copy this message or attachment
or disclose the contents to any other person.
Please consider the environmental impact before printing this document and its attachment(s).
Print black and white and double-sided where possible.
----------------------------------------------------------------------------------
The attached file is inv6219014291_0519182.zip, although I don't have a sample of that at the moment. The payload is likely to be the Upatre downloader leading to the Dyre banking trojan.

Thursday, 5 November 2015

Malware spam: "Document from AL-KO" / info@alko.co.uk

This spam does not come from AL-KO but is instead a simple forgery with a malicious attachment:

From     [info@alko.co.uk]
Date     Thu, 05 Nov 2015 16:33:40 +0530
Subject     Document from AL-KO

This document is DOC created by Osiris OSFAX(R) V3.5.
It can be viewed and printed with Microsoft Word(R)

Document from AL-KO.doc
Attached is a file Document from AL-KO-01.doc which probably comes in many different versions, but I've only had the chance to run two through analysis. Both are undetected by any AV vendor [1] [2] at present. The structure of the document seems unusual and I am having some difficulties seeing the malicious macros, but these two Hybrid Analysis reports [3] [4] show the macro in action, downloading from:

members.dodo.com.au/~mfranklin17/f75f9juu/009u98j9.exe
www.mazzoni-hardware.de/f75f9juu/009u98j9.exe


There will be other locations too, all downloading the same binary with a detection rate of 4/54 (MD5 39f7827813ac9bc74a4a9176c9e80487) Other automated analyses [5] [6] show network traffic to:

128.199.122.196 (Digital Ocean, Singapore)
75.99.13.123 (Cablevision, US)


The payload appears to be the Dridex banking trojan.

Recommended blocklist:
128.199.122.196
75.99.13.123

Wednesday, 4 November 2015

Malware spam: "Email from Transport for London" / noresponse@cclondon.com

This fake Transport for London spam is a variation of something used before. It does not actually come from TfL, but is a simple forgery with a malicious attachment:

From     "Transport for London" [noresponse@cclondon.com]
Date     Wed, 4 Nov 2015 14:33:44 +0100
Subject     Email from Transport for London

Dear Customer

Please open the attached file to view correspondence from Transport for London.

If the attachment is in PDF format you may need Adobe Acrobat Reader to read or download
this attachment. If you require Adobe Acrobat Reader this is available at no cost
from the Adobe Website www.adobe.com

Thank you for contacting Transport for London.

Business Operations
Customer Service Representative

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.

This email and any attachment are intended solely for the addressee, are strictly
confidential and may be legally privileged. If you are not the intended recipient
any reading, dissemination, copying or any other use or reliance is prohibited. If
you have received this email in error please notify the sender immediately by email
and then permanently delete the email.

Attached is a file 6305093.zip of which I have seen just one sample, containing a malicious executable 6305093.scr (MD5 6a4cce90ba28720fa9e6813f681b1f75) which has a VirusTotal detection rate of 7/54. This Hybrid Analysis report shows it communicating with the well-known malicious IP address of 197.149.90.166 (Cobranet, Nigeria) which I recommend you block.

The payload here seems to be Upatre dropping the Dyre banking trojan.

Tuesday, 3 November 2015

Malware spam: "New Invoice from Documents Online" / "Documents Online Limited" [sales@documentsonline.co.uk]

This fake financial spam has a malicious attachment:

From     "Documents Online Limited" [sales@documentsonline.co.uk]
Date     Tue, 3 Nov 2015 17:24:30 +0530
Subject     New Invoice from Documents Online

Dear Customer,

This is a notice that an invoice has been generated against your account, details
of the invoice are as follows:

Invoice #241
Amount Due: 90.00GBP
Due Date: 01/12/2015
Payment Method: Bank Transfer

Invoice Items

[redacted] (01/12/2015-31/12/2015) 75.00GBP

------------------------------------------------------
Sub Total: 75.00GBP
20.00% UK VAT: 15.00GBP
Credit: 0.00GBP
Total: 90.00GBP
------------------------------------------------------

Please find attached a copy of this invoice in PDF format for your records.

IMPORTANT: Please open the attached file using your temporary password. Your temporary
password is: UCZ941QXO941

If you have a Direct Debit setup via our payment gateway GoCardless, payment will
be taken automatically on or shortly after the invoice due date. Alternatively payment
can be made in one of the following ways:

1) Online via Credit/Debit card by clicking this link: http://www.documentsonline.co.uk/clients/viewinvoice.php?id=241

2) Bank Transfer:

    Lloyds TSB, PO Box 1000, BX1 1LT
    Account: Documents Online Limited
    Sort: 30-94-47
    Account: 39921360

3) Setting up a Direct Debit using our payment gateway GoCardless by following these
steps:

a) Click this payment link: http://www.documentsonline.co.uk/clients/viewinvoice.php?id=223
(you will need your portal login details).
b) You will be presented with the invoice, click the "Create Subscription" button
top right of the invoice.
c) You will then be automatically redirected to the Go Cardless website, follow the
instructions on screen to setup a recurring direct debit payment.

Thank you for your business and we look forward to receiving your payment.

Kind Regards,

Documents Online Limited
www.documentsonline.co.uk
Attached is a password-protected ZIP file Invoice-241.zip (in the case, the password is UCZ941QXO941) which in turn contains a malicious executable Invoice-241.zip.exe (MD5 c5770e371cdfde80dc87187b249b19ea) which appears to be undetected at present.

Analysis of the binary is pending, but it will be nothing good.

UPDATE:
This Hybrid Analysis report shows traffic consistent with Upatre dropping the Dyre banking trojan, including traffic to the well known bad IP of:

197.149.90.166 (Cobranet, Nigeria)

Malware spam: "Delivery Confirmation: 0068352929" / "ACUVUE_DEL [ship-confirm@acuvue.com]"

This fake financial spam does not comes from Acuvue, but is instead a simple forgery with a malicious attachment:

From     ACUVUE_DEL [ship-confirm@acuvue.com]
Date     Tue, 03 Nov 2015 12:26:17 +0200
Subject     Delivery Confirmation: 0068352929

PLEASE DO NOT REPLY TO THIS E-MAIL.  IT IS A SYSTEM GENERATED MESSAGE.

Attached is a pdf file containing items that have shipped
Please contact us if there are any questions or further assistance we can provide
Attached is a file Advance Shipping Notification 0068352929.DOC which my sources (thank you, btw) say comes in four different versions, although I have only seen three (VirusTotal results [1] [2] [3], Hybrid Analysis results [4] [5] [6])  containing a macro that looks like this [pastebin]. The download locations are:

builders-solutions.com/45gce333/097j6h5d.exe
goalaskatours.com/45gce333/097j6h5d.exe
www.frontiernet.net/~propertiespricedtosell/45gce333/097j6h5d.exe
www.prolococopparo.it/45gce333/097j6h5d.exe


This malicious binary has a VirusTotal detection rate of 6/54. That VT report and this Hybrid Analysis report show network communications to the following IPs:

128.199.122.196 (Digital Ocean, Singapore)
75.99.13.123 (Cablevision, US)
198.74.58.153 (Linode, US)
221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)


The payload is most likely to be the Dridex banking trojan.

Recommended blocklist:
128.199.122.196
75.99.13.123
198.74.58.153
221.132.35.56

MD5s:
c6cefd2923164aa14a3bbaf0dfbea669
8de322b1fb6a2cc3cbe237baa8d5f277
110d5fde265cd25842b63b9ec4e57b3c
dcf4314773c61d3dde6226a2d67424e8
274695746758801bfb68f46f79bfb638






Monday, 2 November 2015

Scam: "European Trademark Publication" / "ETP" / "etp-publication.com"

A little while ago I registered a trademark. I was a bit surprised to see a small flurry of scammers following that up (by snail mail), sending me what to all intents and purposes are fake invoices. Here is one of them.

In the greyed-out text at the bottom, you can just about read the bit where they give the game away..


Basically, this "ETP" outfit is saying.. send us £930 for no reason at all. Avoid.

Malware spam: "Purchase Order 37087-POR" / "Margaret Wimperis [MargaretWimperis@biasbinding.com]"

This fake financial spam does not come from K. Stevens (Leicester) Ltd but is instead a simple forgery with a malicious attachment.

From     Margaret Wimperis [MargaretWimperis@biasbinding.com]
Date     Mon, 02 Nov 2015 18:28:23 +0700
Subject     Purchase Order 37087-POR

Hi
Please confirm receipt of order
Kind regards
Margaret


-----------------------------
K. Stevens (Leicester) Ltd. Portishead Road, Leicester LE5 0JL Reg. No. 3125088
This email and any attachments are believed to be virus free, however
recipients are responsible for appropriate virus checks. The email and
attachments are confidential to the addressee and unauthorised use, copying or
retention by others is prohibited. The views expressed by the author are not
necessarily those of  K. Stevens (Leicester) Ltd.

-----------------------------
Attached is a file PORDER.DOC which comes in three different versions (although I only have two samples [1] [2]) containing a malicious macro similar to this one [pastebin], which download a binary from the following locations:

saltup.com/34g3f3g/68k7jh65g.exe
landprosystems.com/34g3f3g/68k7jh65g.exe
jambidaily.com/34g3f3g/68k7jh65g.exe


This binary has a detection rate of 4/55 and according that that VirusTotal report, this reverse.it report this Malwr report it contacts the following IP:

128.199.122.196 (DigitalOcean, Singapore)

I strongly recommend that you block that IP. The payload is likely to be the Dridex banking trojan.

MD5s:
eb7df68bd7eb7cf2968cf541af3472d6
fca7c5a1b7fc754588da67c04d225504
6e07bb7f248492d54fdd604ca29da776
867295e266fc496572e42c9cd6281132