Dynamoo's Blog

Thursday 21 January 2016

Malware spam: "Invoice from COMPANY NAME - 123456"

This spam comes from random senders at random companies with random reference numbers. The attachment is named to reflect those values. For example:

From:   Bettye Davidson
Date:   21 January 2016 at 08:24
Subject:   Invoice from DRAGON OIL - 8454985

Please find attached a copy of your invoice

Many Thanks

Bettye Davidson
DRAGON OIL

Attachment: DRAGON OIL - inv8454985.DOC

================

From:   Charlotte Atkinson
Date:   21 January 2016 at 08:23
Subject:   Invoice from GULF FINANCE HOUSE - 40610

Please find attached a copy of your invoice

Many Thanks

Charlotte Atkinson
GULF FINANCE HOUSE

Attachment: GULF FINANCE HOUSE - inv40610.DOC

================

From:   Lucien Drake
Date:   21 January 2016 at 09:26
Subject:   Invoice from HYDROGEN GROUP PLC - 477397

Please find attached a copy of your invoice

Many Thanks

Lucien Drake
HYDROGEN GROUP PLC

Attachment: HYDROGEN GROUP PLC - inv477397.doc

So far I have seen a couple of different versions of the attachment (VirusTotal [1] [2]) which according to Malwr [3] [4] both download a malicious binary from:

5.189.216.101/dropbox/download.php

This IP belongs to LLHost Inc, Netherlands. You can assume that the IP is malicious.

The dropped binary is named rare.exe, and has an MD5 e6f67b358009f66f1a4840c1eff19c2e of and a detection rate of 4/53. The Malwr report for this shows it phoning home to:

198.50.234.211 (OVH, Canada)

The payload is the Dridex banking trojan, and this behaviour is characteristic of Botnet 120.

Recommended blocklist:
198.50.234.211
5.189.216.101

Wednesday 20 January 2016

Malware spam: " Invoice / Credit Note Express Newspapers (S174900)" / georgina.kyriacoumilner@express.co.uk

This fake financial spam is not from Express Newspapers but is instead a simple forgery with a malicious attachment:

From:    georgina.kyriacoumilner@express.co.uk
Reply-To:    hannah.johns@express.co.uk
Date:    20 January 2016 at 14:28
Subject:    Invoice / Credit Note Express Newspapers (S174900)

Please find attached Invoice(s) / Credit Note(s) from Express Newspapers.

If you have any queries with it, or to request that future documents get sent to a different email address for processing, please contact:

hannah.johns@express.co.uk or telephone 020 8612 7149.

N.B. Please do not reply to this email address as it is not checked.

Kind Regards,

Express Newspapers
Finance Dept - 4th Floor,The Northern & Shell Building
Number 10 Lower Thames Street, London EC3R 6EN

****************************************************************************
Any views or opinions are solely those of the author and do not necessarily represent those of Express Newspapers

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material.If you are not the intended recipient of this message please do not read ,copy, use or disclose this communication and notify the sender immediately. It should be noted that any review, retransmission, dissemination or other use of, or taking action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. E-mail communications may be monitored.
****************************************************************************
EXN2006

Attached is a file S174900.DOC which comes in at least three different versions (VirusTotal results [1] [2] [3]) and the Malwr reports for those [4] [5] [6] shows the following download locations:

www.helios.vn/98jh6d5/89hg56fd.exe [404 error]
202.191.112.60/~n02022-1/98jh6d5/89hg56fd.exe
www.lassethoresen.com/98jh6d5/89hg56fd.exe

These are the same locations as seen here, but now the payload has changed to one with an MD5 of 34781d4f8654f9547cc205061221aea5 and a detection rate of 1/54. The malware still phones home to
216.224.175.92 (SoftCom America Inc, US) which I recommend you block.

Malware spam: "Emailing: 120205 Letter-response A3 2-2" / Tim Speed [Tim@plan4print.co.uk]

Tim Speed is really a super name for a printer. Better for a racing driver, but still good for a printer. Anyway, this fake financial email isn't from Tim or Plan4Print (aka Excel Colour Print) at all, but is a simple forgery with a malicious attachment.

From     Tim Speed [Tim@plan4print.co.uk]
Date     Wed, 20 Jan 2016 14:33:24 +0300
Subject     Emailing: 120205 Letter-response A3 2-2

Hi
Please find estimate attached for Letter-response A3 2-2
Kind regards
Tim Speed
Estimator / Account Handler
Tel: 0115 944 3377 Ext 104

Click here to check out our BRAND NEW website
Goshawk Road, Quarry Hill Industrial Park, Ilkeston, Derbyshire, DE7 4RG
Tel: 0115 944 3377 Fax: 0115 944 3388 Web: www.plan4print.co.uk
Email: tim@plan4print.co.uk

Attached is a file 120205 Letter-response A3 2-2.doc of which I have seen just a single sample, with a VirusTotal result of 3/54. The Malwr report shows it downloading from:

www.lassethoresen.com/98jh6d5/89hg56fd.exe

This is the same malicious binary as used in this earlier attack. The payload is the Dridex banking trojan.

Malware spam: "Tax Invoice IN092649"/ Karin Edwards [karin.edwards@batonlockuk.com]

This fake financial spam is not from Baton Lock Ltd but is instead a simple forgery with a malicious attachment.

From:    Karin Edwards [karin.edwards@batonlockuk.com]
Date:    20 January 2016 at 09:34
Subject:    Tax Invoice IN092649

Tax Invoice IN092649 from Baton Lock Ltd.

Best Regards
Karin Edwards
Baton Lock Ltd

Attached is a file Tax Invoice IN092649.DOC which comes in at least two different versions (VirusTotal results [1] [2]) which according to these Malwr reports [3] [4] downloads from:

www.lassethoresen.com/98jh6d5/89hg56fd.exe
www.helios.vn/98jh6d5/89hg56fd.exe

The dropped file is Dridex, the same as used in this campaign.

Malware spam FAIL: "Your compliment (ref: 398864)" / Rachael Love [env9729health@aylesburyvaledc.gov.uk]

This spam is not from Aylesbury Vale District Council but is instead a simple forgery with a malicious attachment.

From     Rachael Love [env9729health@aylesburyvaledc.gov.uk]
Date     Wed, 20 Jan 2016 13:28:21 +0430
Subject     Your compliment (ref: 398864)

I was not able to access the body text of this message. Note that the sender's email address varies slightly from message to message.

Attached is a file 398864 - Letter to recipient@domain.doc which contains the intended victim's email address. However - due to an error by the bad guys - none of the samples I have seen are downloadable.

The intended payload is probably the Dridex banking trojan, much like this.

Malware spam: "Your device is on its way" / "O2 Lease [O2BusinessContracts@o2.com]"

This fake financial email is not from O2 but is instead a simple forgery with a malicious attachment. The attachment may not be downloadable in all cases due to an error in formatting.

From:    O2 Lease [O2BusinessContracts@o2.com]
Date:    20 January 2016 at 09:05
Subject:    Your device is on its way

Hello

Great news, you've accepted the O2 Lease terms and conditions and the hire agreement.

We've put your order through. So we'll be sending your new device out in the next few days.

Best regards
O2 Customer Service

You can find out more about being on O2 at o2.co.uk/hello

For the latest updates and news, why not follow us on

or

This email is sent from Telefónica UK Limited, a company registered in England and Wales. Registered office: 260 Bath Road, Slough, Berkshire, SL1 4DX.

This electronic message contains information from Telefonica UK or Telefonica Europe which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email.

Switchboard: +44 (0)113 272 2000
Email: feedback@o2.com

Telefonica UK Limited 260 Bath Road, Slough, Berkshire SL1 4DX Registered in England and Wales: 1743099. VAT number: GB 778 6037 85
Telefonica Europe plc 260 Bath Road, Slough, Berkshire SL1 4DX Registered in England and Wales: 05310128. VAT number: GB 778 6037 85
Telefonica Digital Limited 260 Bath Road, Slough, Berkshire SL1 4DX Registered in England and Wales: 7884976. VAT number: GB 778 6037 85

Attached is a file CCAConfirmedAgreement-07540353301-1052136.DOC which (if you can download it) comes in at least two versions (VirusTotal results [1] [2]) and the Malwr reports for those [3] [4] show the malicious document downloading from:

www.lassethoresen.com/98jh6d5/89hg56fd.exe
202.191.112.60/~n02022-1/98jh6d5/89hg56fd.exe
www.helios.vn/98jh6d5/89hg56fd.exe [from this spam run]

There are probably some other download locations too. The dropped binary has an MD5 of 7db792adc71e9dc0f6bb28a5f802b7ab and a detection rate of 4/54. Those Malwr reports and the VirusTotal report indicate network traffic to:

216.224.175.92 (SoftCom America Inc., US)

I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan, and the characteristics look like botnet 220.

UPDATE

The payload for today's Dridex 220 runs has been updated to 34781d4f8654f9547cc205061221aea5 with a detection rate of 1/54.

Malware spam FAIL: "Emailed Order Confirmation - 94602:1" / "DANE THORNTON" [dane@direct-electrical.com]

This fake financial spam is meant to have a malicious attachment.

From     "DANE THORNTON" [dane@direct-electrical.com]
Date     Wed, 20 Jan 2016 16:31:21 +0800
Subject     Emailed Order Confirmation - 94602:1

--
DANE THORNTON

Attached is a file Order_94602~1.doc which in all the samples I have seen has been attached incorrectly to the email, and it will either appear to be zero length or garbage. The payload is meant to be the Dridex banking trojan, but this is the latest of several incidents lately where the bad guys have screwed up. Shame.

Tuesday 19 January 2016

Malware spam: Remittance Advice For Invoice 40502329 From C-Tech

This fake financial spam is not from C-Tech but is instead a simple forgery with a malicious attachment.

From:    Mary Mathis
Date:    19 January 2016 at 12:21
Subject:    Remittance Advice For Invoice 40502329 From C-Tech

Dear Accounts

Please find attached our current remittance advice.

Kind Regards

Mary Mathis MAAT

Accounts Assistant

Tel: +44 (0)1903 268599

Fax: +44 (0)1903 795454

The sender's name, references and name of the attachment will vary, the attachment itself is named something similar to remittance_advice40502329.doc. So far I have seen two versions with detection rates of 3/54 [1] [2] and the Malwr reports [3] [4] indicate a download from the following locations:

http://46.17.100.209/aleksei/smertin.php
http://31.131.20.217/aleksei/smertin.php

These IPs can be considered to be malicious and are allocated to:

46.17.100.209 (Mir Telematiki Ltd, Netherlands)
31.131.20.217 (PE Skurykhin Mukola Volodumurovuch, Ukraine)

The attack is very similar to this Dridex 120 spam run earlier today, except the download locations and dropped binary has changed to this one [VT] with an MD5 of c19959c2d372a7d40d4ba0f99745f114. According to this Malwr report, it phones home to the same evil IP address of 198.50.234.211 as before.

Malware spam: "A/c 1762881 - Remittance Advice" / "Industrial Electronic Wiring Ltd"

This fake financial spam does not come from Industrial Electronic Wiring Ltd but is instead a simple forgery with a malicous attachment.

From:    Herb Castro [CastroHerb70608@essgee.com]
Date:    19 January 2016 at 10:29
Subject:    A/c 1762881 - Remittance Advice

Hi

Please see attached remittance.

Can you please supply a copy of invoice 06438632660 dated 19.11.15., which we appear to be missing.

Regards

Herb Castro
Industrial Electronic Wiring Ltd

Sender names, references and values vary. Attachments are named in a format remit_acc-1603154.doc and have detection rates of about 2/55 [1] [2] [3]. The Malwr reports [4] [5] [6] shows the documents communicating with:

91.223.88.206/victor/onopko.php
5.34.183.127/victor/onopko.php
179.60.144.19/victor/onopko.php

This drops a file aarab.exe which is identical to the payload in this spam run.

Malware spam: "More scans" / admin / DOC201114-201114-001.DOC

This fake scanned document appears to come from admin@ the victim's own domain. There is no body text in the email.

From:    admin [admin@victimdomain.tld]
Date:    19 January 2016 at 09:42
Subject:    More scans

I have seen just a single sample with a document named DOC201114-201114-001.DOC which has a detection rate of 4/53 and which according to this Malwr report downloads from:

www.cnbhgy.com/786585d/08g7g6r56r.exe

This download location was used in this earlier spam run but the payload has now changed, however it is still the Dridex banking trojan.

Malware spam: "Remittance Advice 1B859E37" / "Bellingham + Stanley"

This fake financial does not come from Bellingham + Stanley but is instead a simple forgery with a malicious attachment. Reference numbers and sender names will vary.

From:    Adeline Harrison [HarrisonAdeline20@granjacapital.com.br]
Date:    19 January 2016 at 09:45
Subject:    Remittance Advice 1B859E37

For the attention of Accounts Receivable,

We are attaching an up to date remittance advice detailing the latest payment on your account.

Please contact us on the email address below if you would like your remittance sent to a different email address, or have any queries regarding your remittance.

Kind regards,
Adeline Harrison

Best Regards,

Adeline Harrison
Senior Finance Assistant, Bellingham + Stanley

Bellingham + Stanley
Longfield Road
Tunbridge Wells
Kent, TN2 3EY
United Kingdom
Office: +44 (0) 1892 500406
Fax: +44 (0) 1892 543115
HarrisonAdeline20@granjacapital.com.br
www.bellinghamandstanley.com

I have seen at least four different variations of the attachment, named in the format remittance_advice14DDA974.doc (VirusTotal results [1] [2] [3] [4]). These Malwr reports [5] [6] [7] [8] show those samples communicating with:

http://179.60.144.19/victor/onopko.php
http://5.34.183.127/victor/onopko.php

Those IPs are:
179.60.144.19 (Veraton Projects, Netherlands)
5.34.183.127 (ITL Company, Ukraine)

UPDATE 1: this related spam run also downloads from:

91.223.88.206/victor/onopko.php

This is allocted to "Private Person Anton Malyi" in Ukraine.

A file aarab.exe is dropped (MD5 05219ea0aefedc873cecaa1f5100c617) [VT 4/53] which appears to communicate with:

198.50.234.211 (OVH, Canada)

I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan, this attack is consistent with botnet 120.

UPDATE 2

This other Dridex 120 spam run uses different download locations:

46.17.100.209/aleksei/smertin.php
31.131.20.217/aleksei/smertin.php

The dropped "aarab.exe" file is also different, with an MD5 of c19959c2d372a7d40d4ba0f99745f114 and a detection rate of just 2/54.

Recommended blocklist:
198.50.234.211
179.60.144.19
5.34.183.127
91.223.88.206
46.17.100.209
31.131.20.217

Malware spam: "Daily Mail - Payment overdue" / Raashida Sufi [Raashida.Sufii@dmgmedia.co.uk]

This fake financial spam does not come from the Daily Mail, but is instead a simple forgery with a malicious attachment:

From     Raashida Sufi [Raashida.Sufii@dmgmedia.co.uk]
Date     Tue, 19 Jan 2016 11:40:37 +0300
Subject     Daily Mail - Payment overdue

Hi,

I have currently taken over from my colleague Jenine so will be your new POC going
forward.

I have attached an invoice that is currently overdue for £360.00. Kindly email me
payment confirmation today so we can bring your account up to date?

Kind Regards
Rash Sufi
Credit Controller, dmg media Finance Services
Telephone: +44(0)203 615 5083        Email: Raashida.Sufi@dmgmedia.co.uk

Shared Values: Customer Focus, Excellence, Innovation, Integrity, Teamwork, Accountability,
Learning
P.O. Box 6795, St. George Street, Leicester, LE1 1ZP

______________________________________________________________________
This e-mail and any attached files are intended for the named addressee only. It
contains information, which may be confidential and legally privileged and also protected
by copyright. Unless you are the named addressee (or authorised to receive for the
addressee) you may not copy or use it, or disclose it to anyone else. If you received
it in error please notify the sender immediately and then delete it from your system.
Associated Newspapers Ltd. Registered Office: Northcliffe House, 2 Derry St, Kensington,
London, W8 5TT. Registered No 84121 England.

I have seen three different versions of the malicious attachment Invoice.doc (VirusTotal results [1] [2] [3]). The Malwr analysis of these documents [4] [5] [6] shows that the payload is identical to the Dridex banking trojan described here.

OMG: Twitter down.. "Something is technically wrong"

Twitter has been down for at least an hour. It feels like losing a limb. OK. Maybe not. A metaphorical limb. Please don't offer to come round to remove one just so I can compare.

Malware spam: "Thank you for purchasing from Cheaper Travel Insurance - 14068156"

This fake financial spam comes with a malicious attachment:

From     info17@Resellers.insureandgo.com
Date     Tue, 19 Jan 2016 14:27:06 +0530
Subject     Thank you for purchasing from Cheaper Travel Insurance - 14068156

Your policy number: MF/CP/205121/14068156

Dear customer, Thank you for buying your travel insurance from Cheaper.
Your policy documents are attached.
Date: 18/01/2016
Amount: £849.29
Quote number: 21272810
Policy number: MF/CP/205121/14068156

Insurance is arranged by Insure & Go Insurance Services Ltd who are authorised and regulated by the Financial Conduct Authority. Insure & Go Insurance Services Ltd Registered Address: 10th Floor Maitland House, Warrior Square, Southend-on-Sea, Essex SS1 2JY. Registered in England and Wales (Company Number: 04056769). Calls may be recorded and monitored.

The sender appears to be from info[some-random-number]@Resellers.insureandgo.com, but it is just a simple forgery. Attached is a malicious Word document that I have seen five different versions of (VirusTotal results [1] [2] [3] [4] [5]).

The Malwr reports on the samples [1] [2] [3] [4] [5] show download locations as:

www.cnbhgy.com/786585d/08g7g6r56r.exe
seaclocks.co.uk/786585d/08g7g6r56r.exe
mosaicambrosia.com/786585d/08g7g6r56r.exe

This has a VirusTotal result of 3/54. The Malwr and VirusTotal reports combined with this Hybrid Analysis show traffic to:

216.59.16.175 (Immedion LLC, US / VirtuaServer Informica Ltda, Brazil)
195.96.228.199 (Bulgarian Academy Of Sciences, Bulgaria)
200.57.183.176 (Triara.com, S.A. de C.V., Mexico)
62.109.133.248 (Ignum s.r.o, Czech Republic)
103.23.154.184 (Ozhosting.com Pty Ltd, Australia)
41.38.18.230 (TE Data, Egypt)
202.137.31.219 (Linknet, Indonesia)
176.53.0.103 (Network Devices, Turkey)

The payload is the Dridex banking trojan, and this activity is consistent with the botnet 220 campaign.

Dropped file MD5:
bbb091c44cb44dd348b8745590b2d9dd
4f272b8af966ccd73880888015d87e40

Attachment MD5s:
a36aa1d188f8b318401fe9c839a9d2c6
cd4d922487cf5da4348456d2695fbc56
9bbf47dac1ad712fa5d6109fc58d450f
79a854e552c992c1d3d5e838467da856
17d80dde11feb558216c8c04b4aa0494

Recommended blocklist:
216.59.16.175
195.96.228.199
200.57.183.176
62.109.133.248
103.23.154.184
41.38.18.230
202.137.31.219
176.53.0.103

UPDATE

The payload has now changed to one with an MD5 of 4f272b8af966ccd73880888015d87e40 and a detection rate of 2/54. The Malwr report indicates that the network behaviour is pretty much the same.

Monday 18 January 2016

Malware spam FAIL: "Statements" / Alison Smith [ASmith@jtcp.co.uk]

This fake financial email does not come from J Thomson Colour Printers but is instead a simple forgery with a malicious attachment.

From     Alison Smith [ASmith@jtcp.co.uk]
Date     Mon, 18 Jan 2016 18:27:36 +0530
Subject     Statements

Sent 12 JAN 16 15:36

J Thomson Colour Printers
14 Carnoustie Place

Glasgow

G5 8PB

Telephone 0141 4291094
Fax 0141 4295638

Attached is a file S-STA-SBP CRE (0036).xls which is actually corrupt, due to a monumental failure by the bad guys. The payload is meant to be the Dridex banking trojan, but since Friday the attachments have been messed up and will either appear to be garbage or zero length. The payload itself should look similar to this one, also spoofing the same company.

Malware spam FAIL: "Water Cooler World Invoice" / tom.thomson@watercoolerworld.com

This fake invoice is not from Water Cooler World but is instead a simple forgery with a malicious attachment. I was not able to capture the body text.

From     =?iso-8859-1?B?IlRvbSBUaG9tc29uIFdhdGVyIENvb2xlciBXb3JsZCI=?= [tom.thomson@watercoolerworld.com]
Date     Mon, 18 Jan 2016 18:35:14 +0700
Subject     Water Cooler World Invoice

Attached is a file INVOICE_F-160003834.doc which will appear to be corrupt because the MIME attachment is malformed (it will either appear to be zero length or it will be garbage). This is the second corrupt spam run today, it was meant to be delivering the Dridex banking trojan. A fuller analysis of the attempted payload can be found here.

Malware spam FAIL: "Invoice January" / "A . Baird" [ABaird@jtcp.co.uk]

This fake financial spam does not come from J. Thomson Colour Printers but is instead a simple forgery with a malicious attachment.

From     "A . Baird" [ABaird@jtcp.co.uk]
Date     Mon, 18 Jan 2016 16:17:20 +0530
Subject     Invoice January

Hi,

We have been paid for much later invoices but still have the attached invoice as
outstanding.

Can you please confirm it is on your system and not under query.

Regards

Alastair Baird
Financial Controller

[cid:image001.png@01CEE6A0.2D48E1B0]
Registered in Scotland 29216
14 Carnoustie Place
Glasgow G5 8PB
Direct Dial: 0141 418 5303
Tel: 0141 429 1094
www.jtcp.co.uk

P Save Paper - Do you really need to print this e-mail?

Because the email has an error in it, the attachment cannot be downloaded or will appear to be corrupt. This follows on from a similar bunch of corrupt spam messages on Friday [1] [2] [3]. The payload is meant to be the Dridex banking trojan.

If you can get hold of the original message, then it should be possible to locate the faulty Base 64 section which has a leading space in it. Removing the space and decoding the Base 64 would generate the intended malicious message. Obviously, I don't recommend doing that unless who want to decode the malware..

UPDATE

A source (thank you!) tells me that the various versions of the document should download a binary from one of the following locations:

emirelo.com/786585d/08g7g6r56r.exe
esecon.com.br/786585d/08g7g6r56r.exe
outago.com/786585d/08g7g6r56r.exe

This binary has an MD5 of 971b9f7a200cff489ee38011836f5240 and a VirusTotal detection rate of 3/54. The same source identifies the following C2 servers whcih are worth blocking:

192.232.204.53 (WebSiteWelcome, US)
110.77.142.156 (CAT BB Net, Thailand)
216.117.130.191 (Advanced Internet Technologies Inc, US)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)

Recommended blocklist:
192.232.204.53
110.77.142.156
216.117.130.191
202.69.40.173

Friday 15 January 2016

Malware spam FAIL: "Statement" / Kelly Pollard [kelly.pollard@carecorner.co.uk]

This fake financial spam is meant to have a malicious attachment, but it is corrupt:

From     Kelly Pollard [kelly.pollard@carecorner.co.uk]
Date     Fri, 15 Jan 2016 13:56:01 +0200
Subject     Statement

Your report is attached in DOC format.

Kelly Pollard
Marketing Manager
Tel: 01204 89 54 10    Fax: 01204 89 54 11

[final care corner logo]

The attachment is named Statement 012016.doc but due to an error in the email it is corrupt, and is either zero length or will produce garbage. If it were to work, it would produce a payload similar to that found here and here, namely the Dridex banking trojan. This is the third corrupt Dridex run today. Shame.

Malware spam FAIL: "Reservation Confirmation Number79501" / reservations@draytonmanorhotel.co.uk

This fake hotel reservation is meant to have a malicious attachment, but it is corrupt and you cannot download it.

From     [reservations@draytonmanorhotel.co.uk]
Date     Fri, 15 Jan 2016 16:21:55 +0530
Subject     Reservation Confirmation Number79501

We are pleased to confirm the attached booking at Drayton Manor Hotel.

Should you have any queries, please do not hesitate to contact us. We look
forward to welcoming you to Drayton Manor Hotel.

Kind Regards

Harry Ashbolt
Reservations

The attachments (in the format uk_conf_email_2012_dmh562810.xls) appear to be corrupt because of an error in the MIME attachment in the email, so they will either be zero length or appear to be garbage. I haven't seen any non-corrupt versions of the attachment at all. This is the second corrupt Dridex spam run today (this is the other one).

A source tells me that when repaired, the documents attempt to download a malicious binary from:

hotyo.1pworks.com/786585d/08g7g6r56r.exe
members.chello.nl/~h.pot2/786585d/08g7g6r56r.exe
w04z5e8ry.homepage.t-online.de/786585d/08g7g6r56r.exe

The payload is the same one as found here with a detection rate of 6/55. I would recommend blocking the IPs I mentioned in that post too.

Malware spam: "Scanned image from MX-2640N" / cm_sharpscan@yahoo.co.uk

This fake document spam is meant to have a malicious attachment, but all the versions I have seen are corrupt.

From:    cm_sharpscan@yahoo.co.uk
Date:    15 January 2016 at 10:12
Subject:    Scanned image from MX-2640N

Reply to: cm_sharpscan@yahoo.co.uk [cm_sharpscan@yahoo.co.uk]
Device Name: Not Set
Device Model: MX-2640N
Location: Not Set

File Format: DOC (Medium)
Resolution: 200dpi x 200dpi

Attached file is scanned image in Microsoft Word format.

The attachment is meant to be in the format username@domain.tld_201601151152_097144.doc but due to an apparent error in the MIME formatting, saving it results in a file in the format _username@domain.tld_201601151152_097144.doc_ 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7_CQAGAAAAAAAAAAAAAAACAAAAKgAAAAAA.doc_0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7_CQAGAAAAAAAAAAAAAAACAAAAKgAAAAAA instead

The next problem for the bad guys is that they have added a leading space to the Base 64 encoded section with the attachment in. This means that unless the mail client somehow fixes the error, the attachments are harmless (VirusTotal results [1] [2] [3] [4]).

Now, not many people are going to wade in and fix the malicious attachments, but I did and I got three unique files (VirusTotal results [1] [2] [3]).

Analysis of these documents is pending, but the payload is probably meant to be the Dridex banking trojan.

UPDATE

I managed to coax a Hybrid Analysis of two of the documents [1] [2] showing download locations of:

nasha-pasika.lviv.ua/786585d/08g7g6r56r.exe
arm.tv/786585d/08g7g6r56r.exe

This executable is the same one dropped in this spam run. It currently has a VirusTotal detection rate of 6/54.

Ironically, that Ukrainian site is on 91.217.91.18 (PE Ivanov Vitaliy Sergeevich, Ukraine) and it is the only time I have seen a legitimate site in the block.. and it has been hacked. In any case, I would recommend blocking the entire 91.217.90.0/23, legitimate sites or not.

Those two Hybrid Analysis reports give a whole bunch of callback IPs between them:

88.208.35.71 (Advanced Hosters B.V., NL)
216.117.130.191 (Internet Technologies Inc., US)
116.12.92.107 (Lanka Comunication Services, Sri Lanka)
46.32.243.144 (Heart Internet VPS, UK)
195.96.228.199 (Bulgarian Academy Of Sciences, Bulgaria)
161.53.144.25 (Veleuciliste U Sibeniku, Croatia)
41.38.18.230 (TE Data, Egypt)

Despite the fact that the attachments aren't working, I would expect to see those IPs in use for other badness and I would recommend blocking them.

Recommended blocklist:
88.208.35.71
216.117.130.191
116.12.92.107
46.32.243.144
195.96.228.199
161.53.144.25
41.38.18.230