Dynamoo's Blog

Monday 14 December 2015

Malware spam: "Scan from a Samsung MFP" / "Gareth Evans [gareth@cardiffgalvanizers.co.uk]"

This fake scanned document does not come from Cardiff Galvanizers but is instead a simple forgery with a malicious attachment.

From:    Gareth Evans [gareth@cardiffgalvanizers.co.uk]
Date:    14 December 2015 at 10:43
Subject:    FW: Scan from a Samsung MFP

Regards

Gareth

-----Original Message-----

Please open the attached document. It was scanned and sent to you using a
Samsung MFP. For more information on Samsung products and solutions, please
visit http://www.samsungprinter.com.

This message has been scanned for malware by Websense. www.websense.com

I have seen just a single sample of this, named Untitled_14102015_154510.doc and with a VirusTotal detection rate of 7/54. It contains a malicious macro [pastebin] which according to this Malwr report downloads a malicious binary from:

test1.darmo.biz/437g8/43s5d6f7g.exe

There will probably be other versions of the document downloading from the same location. The binary has a VirusTotal detection rate of 1/54. Those two reports plus this Hybrid Analysis indicate network traffic to the following malicious IPs:

199.7.136.84 (Megawire, Canada)
221.132.35.56 (Ho Chi Minh City Post And Telecom Company, Vietnam)
202.69.40.173 (Gerrys Information Technology (PVT) Ltd, Pakistan)
78.47.66.169 (Hetzner, Germany)

The payload is likely to be the Dridex banking trojan.

MD5s:
dcb019624fb8e92eb26adf2bef77d46c
21781d7e2969bd9676492c407a3da1cc

Recommended blocklist:
199.7.136.84
221.132.35.56
202.69.40.173
78.47.66.169

Friday 11 December 2015

Malware sites and evil networks to block (2015-12-11)

This group of domains and IPs are related to this Teslacrypt attack, sharing infrastructure with some of the malicious domains in question. In addition to Teslacrypt, some of these are connected with PoSeidon, Pony and Gozi malware.

The analysis [csv] includes SURBL and Google ratings, ISP information and a recommended blocklist.

Malicious domains:
auth-mail.ru
blagooooossss.com
brostosoosossss.com
chromedoors.ru
debatelocator.ru
ggergregre.com
growthtoys.ru
hagurowrob.ru
hedtheresran.ru
listfares.ru
littmahedtbo.ru
mikymaus.in
mytorsmired.ru
poponkia.com
soft2webextrain.com
softextrain64.com
softextrain644.com
toftevenghertbet.ru
wordlease.ru
workcccbiz.in

Partly or wholly malicious IPs:
46.166.168.106
80.87.202.52
96.8.119.3
104.232.34.141
149.202.234.190
176.103.48.223
185.18.53.247
185.118.64.182

Recommended blocklist:
46.166.168.64/26 (Duomenu Centras, UA)
80.87.202.0/24 (JSC Server, RU)
96.8.119.0/27 (New Wave NetConnect, US)
104.232.34.128/27 (Net3 Inc, US)
149.202.234.188/30 (OVH / Dmitry Shestakov, BZ)
176.103.48.0/20 (PE Ivanov Vitaliy Sergeevich, UA)
185.18.53.247 (Fornex Hosting, NL)
185.118.64.176/28 (CloudSol LLC, Russia)

I've blocked traffic to 176.103.48.0/20 for two years with no ill-effects, it seems to be a particularly bad network. There may be a few legitimate sites hosted in these ranges, they would mostly be Russian.. so if you don't usually visit Russian websites then the collateral damage might be acceptable.

Malware spam: "Invoice #66626337/BA2DEB0F" leads to Teslacrypt

I have only seen one sample of this fake invoice spam, so it is possible that the invoice references and sender names are randomly generated.

From:    Jarvis Miranda
Date:    11 December 2015 at 08:25
Subject:    Invoice #66626337/BA2DEB0F

Dear Client,

Our finance department has processed your payment, unfortunately it has been declined.
Please, double check the information provided in the invoice down below and confirm your details.

Thank you for understanding.

In the sample I saw, the attached file was named SCAN_invoice_66626337.zip which contained a malicious javascript [pastebin] with a VirusTotal detection rate of 5/54. When deobfuscated it becomes a bit clearer that it is trying to download a binary from:

soft2webextrain.com/87.exe?1
46.151.52.231/87.exe?1

This behaviour can be seen in these automated reports [1] [2]. The downloaded executable has a detection rate of 6/55 and an MD5 of 56214f61a768c64e003b68bae7d67cd2. This Malwr report gives a clearer indication of what the binary is doing, attempting to pull information from:

kochstudiomaashof.de

The screenshots indicate clearly that this is ransomware, specifically Teslacrypt.

Note that the soft2webextrain.com domain is on the same server as softextrain64.com seen yesterday, so 185.118.64.182 (CloudSol LLC, Russia) can be considered to be malicious.

UPDATE
I didn't spot originally that the "soft2webextrain.com" website is multhomed with another IP address on 149.202.234.190 which is an OVH IP allocated to a customer "Dmitry Shestakov" an which forms a small block of 149.202.234.188/30 which is probably also worth blocking.

UPDATE 2
I made an error with one of the IP addresses and specified 185.118.64.183 and it should have been 185.118.64.182.

Recommended blocklist:
185.118.64.182
149.202.234.188/30
46.151.52.231
kochstudiomaashof.de

Thursday 10 December 2015

Malware spam: "Order 311286 Acknowledged" / "sales@touchstonelighting.co.uk"

This fake financial spam does not come from Touchstone Lighting but is instead a simple forgery with a malicious attachment.

From:    sales@touchstonelighting.co.uk
Date:    10 December 2015 at 12:02
Subject:    Order 311286 Acknowledged

There is no body text. Attached is a malicious Word document Order Acknowledgement.doc which appears to be exactly the same as the payload used for this spam run.

Malware spam: "STMT ACWL-15DEC12-120106" / "accounts@mamsoft.co.uk [statements@mamsoft.co.uk]"

This fake financial email does not come from MAM Software but is instead a simple forgery with a malicious attachment.

From:    accounts@mamsoft.co.uk [statements@mamsoft.co.uk]
Date:    10 December 2015 at 11:35
Subject:    STMT ACWL-15DEC12-120106

The following are attached to this email:
XACWL-15DEC12-120106.DOC

Attached is a file XACWL-15DEC12-120106.DOC which I have only seen one variant of so far, with a VirusTotal detection rate of 6/54. According to the Malwr analysis, it downloads a file from:

life.1pworks.com/76t7h/76gjk.exe

There will probably be other versions of the document with different download locations. This executable has a detection rate of 2/54 and according to this Malwr report it contacts:

136.145.86.27 (University Of Puerto Rico, Puerto Rico)

Other analysis is pending, in the meantime I recommend that you block traffic to that IP. The payload is probably the Dridex banking trojan.

MD5s:
6e8f48e7d53ac2c8f7b863078e9050b2
fbf7c8c4f90fcfdf284c3624d6baedf7

Malware spam: "Foreman&Clark Ltd" / "Last Payment Notice" leads to Teslacrypt

This fake financial spam does not come from the long-defunct Foreman & Clark, but instead it comes with a malicious attachment that leads to ransomware.

From:    Harlan Gardner
Date:    10 December 2015 at 08:48
Subject:    Reference Number #20419955, Last Payment Notice

Dear Client,

This e-mail is pursuant to your contract with Foreman&Clark Ltd. for our services date November 15, 2015 for the amount of $8,151.
Your failure to pay as per the December 1, 2015 invoice equals to the breach of our contract.

Please, acknowledge the receipt of this e-mail within three business days. Please, make your payment to the corresponding account, stated in the invoice attached no later than January 2, 2016.
In case you fail to respond to this e-mail we well be compelled to pursue all the necessary legal actions.

Thank you beforehand for your attention to this case.
Looking forward to hearing back from you.

Sincerely,
Harlan Gardner
Sales Manager

Foreman&Clark Ltd.
256 Raccoon RunSeattle,
WA 98101

In the sample I saw, the attachment was named copy_invoice_20419955.zip which contained this malicious obfuscated script which has a VirusTotal detection rate of 2/55. When deobfuscated it becomes a bit clearer as to what it does, with an attempted download from:

46.151.52.196/86.exe?1
softextrain64.com/86.exe?1

This pattern is the same as the spam run yesterday. The downloaded binary has an MD5 of 42b27f4afd1cca0f5dd2130d3829a6bc, a detection rate of 5/55 and the Malwr report indicates that it pulls data from the following domains:

graysonacademy.com
grassitup.com
grupograndes.com
crown.essaudio.pl
garrityasphalt.com
gjesdalbrass.no

The characteristics of this malware indicate the Teslacrypt ransomware.

Recommended blocklist:
46.151.52.196
softextrain64.com
gjesdalbrass.no
graysonacademy.com
grassitup.com
grupograndes.com
crown.essaudio.pl
garrityasphalt.com

Wednesday 9 December 2015

Fake "Fretter Inc" spam leads to Teslacrypt ransomware

This email claims to be from the long-dead retailer Fretter Inc, but it is not. Instead it comes with a malicious attachment leading to the Teslacrypt ransomware.

From:    Tonia Graves [GravesTonia8279@ikom.rs]
Date:    9 December 2015 at 14:50
Subject:    Your order #11004118 - Corresponding Invoice #B478192D

Dear Valued Customer,

We are pleased to inform you that your order #11004118 has been processed and ready to be dispatched. However, according to our records, above mentioned invoice is still unpaid.
We would highly appreciate if you sent your payment promptly. For your information, don't hesitate to check the invoice enclosed to this letter or contact us directly.
In case if you have already sent your payment, please disregards this letter and kindly allow us up to 3 business days to clear the incoming payment.

We look forward to your remittance and will the dispatch the goods.

Thank you for choosing our services we sincerely hope to continue doing business with you again.

Sincerely,
Tonia Graves

Sales Department Manager
Fretter Inc.
2715 Sycamore Road
Nyssa, OR 97913

There sender's name and the reference numbers change in each version. Attached is a file copy_invoice_11004118.zip which in turn contains a malicious script [VT 5/54] which in the sample I investigated was named invoice_iU9A2Y.js. When deofuscated it looks like this.

The Malwr report for that script shows it downloading from:

softextrain64.com/86.exe?1

The script itself shows an alternate location of:

46.151.52.197/86.exe?1

This has a VirusTotal detection rate of 3/55. A Malwr report on just the executable plus this Hybrid Analysis report shows it connecting to:

gjesdalbrass.no

It also tries to identify the IP address of the host by connecting to http://myexternalip.com/raw which is a benign service that you might consider to be a good indicator of compromise.

You can see in the screenshots of that Malwr report that this is ransomware, specifically Teslacrypt.

Recommended blocklist:
gjesdalbrass.no
softextrain64.com
46.151.52.197

Tuesday 8 December 2015

Malware spam: "EXB (UK) Ltd Invoice" / "Sales [sales@exbuk.co.uk]"

This fake financial spam does not come from EXB (UK) Ltd but is instead a simple forgery with a malicious attachment.

From:    Sales [sales@exbuk.co.uk]
Date:    8 December 2015 at 12:03
Subject:    EXB (UK) Ltd Invoice

Dear Sirs,

Please find attached our invoice, Thank you for your order

Best Wishes

EXB (UK) Ltd

Attached is a Word document named Invoice 1195288 from EXB (UK) Limited.doc which comes in at least three different versions (VirusTotal results [1] [2] [3]) and which contain a complex macro [pastebin] that fails to run in automated analysis tools [4] [5] [6] [7] [8] [9].

The payload (if it works) is likely to be the Dridex banking trojan.

UPDATE
According to the comments on this post plus some other sources, the macros in these documents download from:

cabezasdealambre.eu/76re459/98uy76t.exe
mfmanastacio.com/76re459/98uy76t.exe
216.119.110.104/76re459/98uy76t.exe

That payload is identical to the one found in this earlier spam run.

Malware spam: "Updated Statement - 2323191" / "David Lawale [David.Lawale@buildbase.co.uk]"

This fake financial spam does not come from Buildbase but is instead a simple forgery with a malicious attachment.

From:    David Lawale [David.Lawale@buildbase.co.uk]
Date:    8 December 2015 at 10:58
Subject:    Updated Statement - 2323191

Hi,

Please find attached copy updated statement as your account has 3 overdue incoices. Is there any reasons why they haven’t yet been paid?

Kind Regards

David

David Lawale | Credit Controller | Buildbase

Harvey Road, Basildon, Essex, SS13 1QJ

tel: +44(0)1268 590718 | fax: +44(0)1268 590077
www.buildbase.co.uk

Attached is a file 151124142451_0001.xls which I have seen come in two versions so far (VirusTotal results [1] [2]). Analysis of this malware is pending, but it most likely leads to the Dridex banking trojan.

UPDATE 1
Automated analysis is inconclusive [1] [2] [3] [4] [5] [6]. It is possible that there is an error in the macro.

UPDATE 2
According to the comments in this post and also some other sources, the the macros download from:

gulteknoofis.com/76re459/98uy76t.exe
kinderdeszorns.de/76re459/98uy76t.exe
agencjareklamowalodz.com/76re459/98uy76t.exe

This has a detection rate of 4/55. According to these reports [1] [2] [3] and other sources, the malware phones home to:

216.189.52.147 (High Speed Web/Genesis 2 Networks, US)
23.113.113.105 (AT&T, US)
221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)
78.47.66.169 (Hetzner, Germany)

MD5s:
0316dbd20fbfd5a098cd8af384ca950f
1b4283c8531653a5156911be1e6535
5a2140f864d98949d44945500a7d18
6ce6e2b915688f2b474e65813dc361

Recommended blocklist:
216.189.52.147
23.113.113.105
221.132.35.56
78.47.66.169

Monday 7 December 2015

Malware spam: "Your receipt from Apple Store, Manchester Arndale" / "manchesterarndale@apple.com"

This fake receipt does not come from an Apple Store, but is instead a simple forgery with a malicious attachment:

From:    manchesterarndale@apple.com
Date:    7 December 2015 at 09:43
Subject:    Your receipt from Apple Store, Manchester Arndale

Thank you for shopping at the Apple Store.

To tell us about your experience, click here.

Attached is a file emailreceipt_20150130R2155644709.xls which in the sample I analysed has a VirusTotal detection rate of 6/53.

According to this Malwr report, the attachment downloads a malicious binary from:

steveyuhas.com/~steveyuhas/87tr65/43wedf.exe

This has a VirusTotal detection rate of precisely zero. Those reports indicate network traffic to:

23.113.113.105 (AT&T Internet Services, US)

This is the same IP as seen in this earlier spam run, and I strongly recommend that you block it. The payload is likely to be the Dridex banking trojan.

Malware spam: "Transglobal Express - Shipping Documentation (TG-1569311)" / "sales@transglobalexpress.co.uk"

This fake shipping spam does not come from Transglobal Express but is instead a simple forgery with a malicious attachment.

From:    sales@transglobalexpress.co.uk
Date:    7 December 2015 at 09:28
Subject:    Transglobal Express - Shipping Documentation (TG-1569311)

Your Shipping Documentation for - TG-1569311

ORDER SUMMARY

Booking Ref:

TG-1569311

Destination Country:

UK

Service:

UPS Express Saver

Collection date:

04/12/2015

Your Shipping Label (Air Waybill)

Please find your Shipping Label for the above order attached.

Print two copies of your label(s). Securely attach one copy to your parcel and give one to the UPS driver upon collection.

Please use the label(s) we have provided to avoid any unwanted billing complications with UPS.

Don't have a printer? Please get in touch with us and we'll be happy to post your documentation to you.

You can access all order information and documentation via your My Account area on our website. You can track your parcel using your UPS Air Waybill number via our easy-to-use tracking page.

You can calculate your estimated transit time by visiting our Transit Times page and entering your collection and delivery postcode into the transit time calculator tools for your carrier. Please note that transit times do not account for customs delays.

SECURITY - Please note that your consignment may be subject to X-Ray and/or opened for inspection.

GET IN TOUCH!

Questions? Issues? Need to rearrange a collection? Call us on 0845 145 1212 (Monday- Friday 9:00-5:30pm), email sales@transglobalexpress.co.uk or say hello via our live chat feature at www.transglobal.org.uk. We are always happy to help.

Many thanks for your order,

Your Customer Services Team

For parcel delivery tips, special offers and up-to-the-minute industry news,
follow us on Twitter @TransGlobalExpr and like us on Facebook.

All work is undertaken subject to our standard Terms and Conditions of carriage (BIFA 2005) which limit our liability.
Copies are available on request or can be downloaded from our web site: www.transglobal.org.uk

1569311-1Z2X12A50495162278.doc
59K

Attached is a file 1569311-1Z2X12A50495162278.doc which in the samples I have seen has a detection rate of 7/55 and which contains this malicious macro [pastebin]. According to this Malwr report, the macro downloads a binary from:

www.lama.rs/87tr65/43wedf.exe

This has a VirusTotal detection rate of just 1/54. Those two reports plus this Hybrid Analysis indicate network traffic to:

23.113.113.105 (AT&T Internet Services, US)

I strongly recommend that you block traffic to that IP. The payload here is almost definitely the Dridex banking trojan.

MD5s:
fd7b410fd7936dd51c4b72ef4047c639
b55d33d92aa95d563e13c57c3bfc2dfe

afdsafadsfd

Thursday 3 December 2015

Malware spam: "ICM - Invoice #2393" / "Industrial Cleaning Materials (ICM)" [sales@icmsupplies.co.uk]

This fake financial spam does not come from Industrial Cleaning Materials but is instead a simple forgery with a malicious attachment:

From     "Industrial Cleaning Materials (ICM)" [sales@icmsupplies.co.uk]
Date     Thu, 03 Dec 2015 18:22:34 +0700
Subject     ICM - Invoice #2393

Dear Customer,

Please find invoice 2393 attached.

Kind Regards,
ICM

Industrial Cleaning Materials
Unit 19 Highlode Ind Est
Stocking Fen Road
Ramsey
Huntingdon
Cambridgeshire
PE26 2RB

Tel: 01487 800011
fax 01487 812075

I have seen two version of the attachment order_2393.doc with VirusTotal results of 2/54 [1] [2] and the Malwr reports [3] [4] show that they download a component from:

www.ofenrohr-thermometer.de/u5y432/h54f3.exe
ante-prima.com/u5y432/h54f3.exe

This has a VirusTotal detection rate of 1/53. The payload appears to be the same as the one in this spam run earlier today and looks like the Dridex banking trojan.

Malware spam: "Invoice from DATANET the Private Cloud Solutions Company" / "Holly Humphreys [Holly.Humphreys@datanet.co.uk]"

This fake financial email does not come from Datanet but is instead a simple forgery with a malicious attachment:

From:    Holly Humphreys [Holly.Humphreys@datanet.co.uk]
Date:    3 December 2015 at 08:57
Subject:    Invoice from DATANET the Private Cloud Solutions Company

Dear Accounts Dept :

Your invoice is attached, thank you for your business.

If you have any queries please do not hesitate to contact us.

Regards

DATANET.CO.UK
01252 810010 Accounts Support from 9am to 5.30pm Monday to Friday
01252 813396 Technical Support from 8am to 8pm Monday to Friday

Please reply to Accounts@datanet.co.uk
________________________________
Holly Humphreys
Operations
Datanet - Hosting & Connectivity
E:

Holly.Humphreys@datanet.co.uk

W:

www.datanet.co.uk

T:

01252 810010

F:

01252 813391

S:

01252 813396 - Normal Support: 8am-8pm Mon-Fri, Critical Break Fix Support: 24x7

DATANET.CO.UK Limited, Cloud Hosting & Connectivity Service Provider. Datanet is an ISO 9001 & ISO 27001 certified
business with the mantra of "CIA" - "Confidentiality, Integrity and Availability" at the heart of our private cloud solutions.

Information contained in this communication is confidential or restricted and is solely for the use of the intended recipient and others authorised to receive it.
If you are not the intended recipient you are hereby notified that any disclosure, distribution or action taken based on this email is prohibited and may be unlawful.

Registered Office: DATANET.CO.UK Limited, Aspen House, Barley Way, Ancells Business Park, Fleet, Hampshire, GU51 2UT Registered in England - No. 03214053

I have seen only one sample of this spam with an attachment with a somewhat interesting name of C:\\Users\\HOLLY~1.HUM\\AppData\\Local\\Temp\\Inv_107666_from_DATANET.CO..xls which saves on my computer as C__Users_HOLLY~1.HUM_AppData_Local_Temp_Inv_107666_from_DATANET.CO..xls. This contains this malicious macro [pastebin] and has a VirusTotal detection rate of 3/55.

According to this Malwr report and this Hybrid Analysis the XLS file downloads a malicious binary from :

encre.ie/u5y432/h54f3.exe

There will probably be other versions of this document downloading from other locations too. This has a VirusTotal detection rate of just 1/55 and that report plus this Malwr report indicate malicious network traffic to:

162.208.8.198 (VPS Cheap, US / Sulaiman Alfaifi, Saudi Arabia)
94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
78.47.66.169 (Hetzner, Germany)

The payload is almost definitely the Dridex banking trojan.

MD5s:
1bfd7cdc2731ec85617555f63473e3c9
0dcb805a3efa215bde97aa1f32559b77

Recommended blocklist:
162.208.8.198
94.73.155.8/29
78.47.66.169

UPDATE

I have seen another version of the document with an MD5 of c7fa6a1f345aec2f1db349a80257f459 and a VirusTotal result of 3/54. According to this Malwr report it downloads from:

parentsmattertoo.org/u5y432/h54f3.exe

Malware spam: "Scanned image from MX-2600N"

This fake scanned image document appears to come from within the victim's own domain, but it is in fact just a simple forgery with a malicious attachment.

From:    no-reply@victimdomain.tld
Date:    3 December 2015 at 08:12
Subject:    Scanned image from MX-2600N

Reply to: no-reply@victimdomain.tld [no-reply@victimdomain.tld]
Device Name: Not Set
Device Model: MX-2600N
Location: Not Set

File Format: DOC MMR(G4)
Resolution: 200dpi x 200dpi

Attached file is scanned image in DOC format.
Use Microsoft(R)Word(R) of Microsoft Systems Incorporated
to view the document.

Attached is a file named no-reply@victimdomain.tld_20151203_3248.doc which I have seen just a single sample of so far with a VirusTotal detection rate of 2/55, and which contains this malicious macro [pastebin]. Automated analysis tools [1] [2] show that the macro downloads a component from the following location:

vinsdelcomtat.com/u5y432/h54f3.exe

There will probably be other versions of the document downloading from other locations, but for the moment the binary will be the same. This has a detection rate of 3/55 and this Malwr report shows that it communicates with a known bad IP of:

193.238.97.98 (PJSC DATAGROUP, Ukraine)

I strongly recommend that you block traffic to that IP. The payload is most likely to be the Dridex banking trojan.

MD5s
23964bc22c2c81f9a41fb9f747a6c995
33a7583730e94d7877e1047272626455

Wednesday 2 December 2015

Malware spam: "Invoice from PASSION BEAUTY SUPPLY LTD" leads to Teslacrypt

Following on from this earlier spam run, this email has a malicious attachment that loads Teslacrypt ransomware.

From:    Monique Chen [ChenMonique412@magicleafstudio.com]
Date:    2 December 2015 at 19:22
Subject:    Invoice from PASSION BEAUTY SUPPLY LTD

Dear Customer ,

Please review the attached copy of your Invoice (number: IN78350434) for an amount of $470.49.

Thank you for your business

The attachment is named invoice_copy_78350434.zip and it contains a malicious script invoice_copy_BD2E45I62A129S.js which has a VirusTotal detection rate of 2/55. The script is obfuscated (see example) but according to these analyses [1] [2] downloads a malicious executable from:

74.117.183.84/76.exe?1

This has a detection rate of 3/55. The hosts contacts are the same as for the earlier spam run and I recommend you block them.

Malware spam: "Shell Fuel Card E-bill 0765017 for Account B500101 31/12/2014" / "Fuel Card Services [adminbur@fuelcardgroup.com]"

This fake financial spam is not from Fuel Card Services Ltd but is instead a simple forgery with a malicious attachment:

From     Fuel Card Services [adminbur@fuelcardgroup.com]
Date     Wed, 02 Dec 2015 15:31:16 +0300
Subject     Shell Fuel Card E-bill 0765017 for Account B500101 31/12/2014

Please note that this message was sent from an unmonitored mailbox which is unable
to accept replies. If you reply to this e-mail your request will not be actioned.
If you require copy invoices, copy statements, card ordering or card stopping please
e-mail support@fuelcardservices.com quoting your account number which can be found
in the e-mail below. If your query is sales related please e-mail info@fuelcardservices.com.

E-billing
-

From: adminbur@fuelcardservices.com

Sent: Wed, 02 Dec 2015 15:31:16 +0300
To: hiett@petroldirect.com
Subject: Shell Fuel Card E-bill 0765017 for Account B500101 31/12/2014

Account: B500101

Please find your e-bill 0765017 for 30/10/2015 attached.

To manage you account online please click http://eservices.fuelcardservices.com

If you would like to order more fuel cards please click http://www.fuelcard-group.com/cardorder/shell-burnley.pdf

If you have any queries, please do not hesitate to contact us.

Regards

Cards Admin.
Fuel Card Services Ltd

T 01282 410704
F 0844 870 9837
E support@fuelcardservices.com

Supplied according to our terms and conditions. (see http://www.fuelcardservices.com/ebill.pdf).

Please also note that if you cannot open this attachment and are using Outlook Express
to view your mail you should select Tools / Options / Security Tab and deselect
the
option marked "Do not allow attachments to be opened that potentially may be a virus".
All of our outgoing mail is fully virus scanned but we recommend this facility is
re-enabled if you do not use virus scanning software.

The attachment is name ebill0765017.doc and it comes in two different versions. The payload appears to be identical to this spam run earlier today. The payload is the Dridex banking trojan.

Malware spam: "November Invoice #60132748" leads to Teslacrypt

This fake financial spam comes with a malicious attachment.

From:    Valarie Davenport
Date:    2 December 2015 at 11:59
Subject:    November Invoice #60132748

Hello ,

Please review the attached copy of your Electronic document.

A paper copy of this document is being mailed, but this email is being sent in addition for your convenience.

Thank you for your business.

Attached is a file invoice_60132748.zip which contains a malicious obfuscated script INVOICE_main_BD3847636213.js [Pastebin obfuscated / deobfuscated] and this downloads a malicious file from:

74.117.183.84/76.exe?1

It also tries to contact 5.39.222.193, but this times out. An attempt to download from bestsurfinglessons.com comes up with a 404 error.

The Malwr report and Hybrid Analysis indicates that this communicates with the following compromised domains:

ccfinance.it
ecaequeeessa.com
schonemaas.nl
cic-la-banque.org

Both those reports indicate that this is the Teslacrypt ransomware.

Furthermore, the Hybrid Analysis report also shows other traffic to:

tsbfdsv.extr6mchf.com
alcov44uvcwkrend.onion.to
rbtc23drs.7hdg13udd.com

MD5s:
72c15108b68a0f07fdc4d17bd58aa368
0352acd36fedd29e12aceb0068c66b49
f16692fc9170ff68321a5d060b93e2e7

Recommended blocklist:
74.117.183.84
5.39.222.193
ccfinance.it
ecaequeeessa.com
schonemaas.nl
cic-la-banque.org
extr6mchf.com
alcov44uvcwkrend.onion.to
7hdg13udd.com

Malware spam: "Your Adler Invoice No. UK 314433178 IN" / "service@adlerglobal.com"

This fake financial spam does not come from Adler Manufacturing Limited but is instead a simple forgery, It is meant to have a malicious attachment, but all of the samples I have seen are malformed.

From:    service@adlerglobal.com
Date:    2 December 2015 at 11:36
Subject:    Your Adler Invoice No. UK 314433178 IN

Dear Customer,

Thank you very much for having placed your order with Adler.

Your goods have been shipped. Please see attached invoice for payment of
your order.

For your convenience, you will find several payment methods described on the
attached invoice (please be sure to include your Adler Order #).

If you have any questions, feel free to contact us.

Best Regards,
Your Adler Customer Service Team

Adler Manufacturing Limited
Eastgate House, 35-43 Newport Road
Cardiff CF24 0AB
Tel.: 0800 0087 555
Fax 0800 0087 666
www.adlerglobal.com

Supposedly attached is a document MD220EML.XLS but instead all the samples I see just have a Base 64 encoded section instead. Shame. If you go to the effort of decoding them, they are two moderately detected malicious documents (VirusTotal results [1] [2]) which according to these Malwr reports [3] [4] downloads a binary from:

vanoha.webzdarma.cz/4367yt/p0o6543f.exe
det-sad-89.ru/4367yt/p0o6543f.exe

These download locations were seen earlier, but the payload has changed to one with a detection rate of 4/55. Those earlier Malwr reports indicate malicious traffic to:

193.238.97.98 (PJSC DATAGROUP, Ukraine)

I strongly recommend that you block traffic to that IP. The payload is likely to be the Dridex banking trojan.

MD5s:
a68b72fbfb76964261a3601daa270647
5bb6f5b6dcd693af4c13e73bc6b7ed48
e81b373b90b0124b31648aa3a50ae2e7

Malware spam: "Aline Payment Request" / "Bruce Sharpe [bruce@alinepumps.com]"

This fake financial spam is not from Aline Pumps but is instead a simple forgery with a malicious attachment. In any cases Aline are an Australian company, they would not be sending out invoices in UK pounds.

From:    Bruce Sharpe [bruce@alinepumps.com]
Date:    2 December 2015 at 09:44
Subject:    Aline Payment Request

ATTENTION: ACCOUNTS PAYABLE

Dear Sir/Madam,

Overdue Alert

Our records show that your current balance with us is £2795.50 of which £2795.50 is still overdue.

Your urgent attention and earliest remittance of this amount would be appreciated.

We value your business and we would like to resolves any issues as quickly as possible. I am personally available on (02) 8508 4900 or bruce@alinepumps.com

Sincerely,

Bruce Sharpe - Accounts Receivable

PO Box 694 Engadine NSW 2233 P. 02 9544 9999 F. 02 9544 8599 E. bruce@alinepumps.com

Attached is a file Statement_1973_1357257122414.doc which comes in at least three versions (although I have only seen two), with VirusTotal results of 4/55 [1] [2] and automated analysis [3] [4] shows download locations of:

pivarimb.wz.cz/4367yt/p0o6543f.exe
allfirdawhippet.com/4367yt/p0o6543f.exe

apparently there is another download location of

sebel.fr/4367yt/p0o6543f.exe

In any case, the downloaded binary is the same and has a detection rate of 3/55 The Malwr analysis and this Hybrid Analyis shows it phoning home to:

193.238.97.98 (PJSC DATAGROUP, Ukraine)

I strongly recommend that you block traffic to that IP.

MD5s:
4e87044b5566951e71c5b672ce416c7f
2b1ff4b456e926329a895be8ac136661
b99e4e57b0f319da4578cb957f910581

Malware spam: "Purchase Order 124658" / "Gina Harrowell [gina.harrowell@clinimed.co.uk]"

This fake financial spam is not from CliniMed Limited but is instead a simple forgery with a malicious attachment:

From     Gina Harrowell [gina.harrowell@clinimed.co.uk]
Date     Wed, 02 Dec 2015 01:53:41 -0700
Subject     Purchase Order 124658

Sent 2 DEC 15 09:18

CliniMed Ltd
Cavell House
Knaves Beech Way
Loudwater
High Wycombe
Bucks
HP10 9QY

Telephone 01628 850100
Fax 01628 850331

From:                    CliniMed Limited

Company Registration No: 01646927

Registered Office:       Cavell House, Knaves Beech Way,
                         Loudwater, High Wycombe, Bucks, HP10 9QY

The contents of this e-mail are confidential to the sender and the addressee. If
you are not the addressee, or responsible for delivering to the addressee, please
notify us immediately by telephoning our IT Support on 01628 850100 (UK) or +44 1628
850100 (international) and delete the message from your computer without copying
or forwarding it or disclosing its contents to any other party. CliniMed Limited
cannot accept any responsibility for changes made to this message after it was sent
and you should not rely on information given in the message without obtaining written
confirmation. It is the responsibility of the addressee to scan incoming mail for
viruses and CliniMed Limited accepts no liability or responsibility for viruses.
Opinions expressed in this e-mail are those of the sender and may not reflect the
opinions and views of CliniMed Limited.

Attached is a file P-ORD-C-10156-124658.xls which I have seen two versions of (VirusTotal results [1] [2]) which contain a malicious macro that looks like this [pastebin] which according to these automated analysis reports [3] [4] [5] [6] pulls down an evil binary from:

det-sad-89.ru/4367yt/p0o6543f.exe
vanoha.webzdarma.cz/4367yt/p0o6543f.exe

There may be other versions of the Excel document with different download locations, but the payload will be the same. This has a VirusTotal detection rate of 1/55 and those previous reports plus this Malwr report indicate malicious network traffic to the following IPs:

193.238.97.98 (PJSC Datagroup, Ukraine)
94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
89.32.145.12 (Elvsoft SRL, Romania / Coreix, UK)

The payload is probably the Dridex banking trojan.

MD5s:
9e1bac7de9a3d2640c8342ba885f9fac
ad78358aa34f2208cde5b63fa27987ef
6fa491ea0bab9f6213329c4c010b27fe

Recommended blocklist:
193.238.97.98
94.73.155.8/29
89.32.145.12

Tuesday 1 December 2015

Malware spam: "Request for payment (PGS/73329)" / "PGS Services Limited [rebecca@pgs-services.co.uk]"

This spam email is confused. It's either about a watch repair or property maintenance. In any case, it has a malicious attachment:

From: PGS Services Limited [rebecca@pgs-services.co.uk]
Date: 1 December 2015 at 12:06
Subject: Request for payment (PGS/73329)

Dear Customer,
We are contacting you because there is an invoice on your account that is overdue for payment and although we have contacted you already our system is still showing that the invoice remains unpaid.

RST Support Services Limited
Rotary Watches Ltd
2 Fouberts Place
London

W1F 7PA
Full details are attached to this email in DOC format.

Click here to make a payment
If there is any reason why payment should not be made or if you are experiencing difficulties with making the payment please get in touch so that we can discuss the matter and stop the recovery process.
Kind regards,
Rebecca Hughes
Customer services team
PGS Services | Expert Property Care
Direct dial: 0203 819 7054
Email: rebecca@pgs-services.co.uk
Visit our website: www.pgs-services.co.uk
10 quick questions - tell us what you think!
http://www.pgs-services.co.uk/feedback/

Attached is a file 3-6555-73329-1435806061-3.doc which comes in at least three different versions (VirusTotal results [1] [2] [3]) and these Malwr reports [4] [5] [6] indicate that it downloads a malicious binary from the following locations:

rotulosvillarreal.com/~clientes/6543f/9o8jhdw.exe
cru3lblow.xf.cz/6543f/9o8jhdw.exe
data.axima.cz/~krejcir/6543f/9o8jhdw.exe

This binary has a detection rate of 2/55. According to this Malwr report and this Hybrid Analysis report, it phones home to some familiar and very bad IPs:

94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
89.32.145.12 (Elvsoft SRL, Romania / Coreix, UK)
221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)
157.252.245.29 (Trinity College Hatford, US)

The payload is probably the Dridex banking trojan.

MD5s:
6171b6272b724e8c19079b5b76bcc100
00312e3379db83bcf9008dd92dc72c2f
d1a401e07f3cab9488d41d509444309f
a4dcd843f545e02ce664157b61cb6191

Recommended blocklist:
94.73.155.8/29
89.32.145.12
221.132.35.56
157.252.245.29

Malware spam: "Card Receipt" / "Tracey Smith" [tracey.smith@aquaid.co.uk]

This fake financial spam does not come from AquAid, but is instead a simple forgery with a malicious attachment. Poor AquAid were hit by the same thing several time earlier this year.

From     "Tracey Smith" [tracey.smith@aquaid.co.uk]
Date     Tue, 01 Dec 2015 10:54:15 +0200
Subject     Card Receipt

Hi

Please find attached receipt of payment made to us today

Regards
Tracey

Tracey Smith| Branch Administrator
AquAid | Birmingham & Midlands Central
Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP
Telephone:        0121 525 4533
Fax:                  0121 525 3502
Mobile:              07795328895
Email:               tracey.smith@aquaid.co.uk

AquAid really is the only drinks supplier you will ever need with our huge
product range. With products ranging from bottled and mains fed coolers ranging up
to coffee machines and bespoke individual one off units we truly have the
right solution for all environments. We offer a refreshing ethical approach
to drinks supply in that we support both Christian Aid and Pump Aid with a
donation from all sales. All this is done while still offering a highly
focused local service and competitive pricing. A personalised sponsorship
certificate is available for all clients showing how you are helping and we
offer £25 for any referral that leads to business.

*********************************************************************
AquAid Franchising Ltd is a company registered in England and Wales with
registered number 3505477 and registered office at 51 Newnham Road,
Cambridge, CB3 9EY, UK. This message is intended only for use by the named
addressee and may contain privileged and/or confidential information. If you
are not the named addressee you should not disseminate, copy or take any
action in reliance on it. If you have received this message in error please
notify the sender and delete the message and any attachments accompanying it
immediately. Neither AquAid nor any of its Affiliates accepts liability for
any corruption, interception, amendment, tampering or viruses occurring to
this message in transit or for any message sent by its employees which is
not in compliance with AquAid corporate policy.

Attached is a file CAR014 151238.doc which comes in at least two different versions with a VirusTotal detection rate of 3/55 for both [1] [2]. According to these Malwr reports [3] [4] the macro in the document downloads a file from one of the following locations:

rotulosvillarreal.com/~clientes/6543f/9o8jhdw.exe
data.axima.cz/~krejcir/6543f/9o8jhdw.exe

This binary has a detection rate of 3/54. The Malwr report for that file shows that it phones home to:

94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)

There are other bad IPs in the 94.73.155.8 - 94.73.155.15 range, so I strongly recommend that you block all traffic to 94.73.155.8/29.

These two Hybrid Analysis reports [1] [2] also show malicious traffic to the following IPs:

89.248.99.231 (Interdominios S.A., Spain)
103.252.100.44 (PT. Drupadi Prima, Indonesia)
89.108.71.148 (Agava Ltd, Russia)
221.132.35.56 (Post and Telecom Company, Vietnam)
78.24.14.20 (VSHosting s.r.o., Czech Republic)

The payload here is probably the Dridex banking trojan.

MD5s:
e590d72e4a7a26aefcf4aa2b438dbb64
42a897dcd53bd7a045282205281892e4
b815797e050e45e3be435d3ecf48bfb0

Recommended blocklist:
94.73.155.8/29
89.248.99.231
103.252.100.44
89.108.71.148
221.132.35.56
78.24.14.20

Monday 30 November 2015

Malware spam: "Sales Invoice OP/I599241 For ANDSTRAT (NO.355) LTD" / "orders@kidd-uk.com"

This fake financial spam is not from James F Kidd, but is instead a simple forgery with a malicious attachment:

From:    orders@kidd-uk.com
Date:    30 November 2015 at 13:42
Subject:    Sales Invoice OP/I599241 For ANDSTRAT (NO.355) LTD

Please see enclosed Sales Invoice for your attention.

Regards from Accounts at James F Kidd
( email: accounts@kidd-uk.com )

I have seen a single copy of this spam with an attachment invoice574206_1.doc which has a VirusTotal detection rate of 3/55.

This Malwr report indicates that in this case there may be an error in the malicious macro [pastebin]. The Hybrid Analysis report is inconclusive. This document is presumably attempting to drop the Dridex banking trojan.

UPDATE

I have received two more samples, one names invoice574206/1.pdf and the other invoice574206/1.doc. Both are Word documents (so the one with the PDF extension will not open). The VirusTotal detection rates are 7/54 and 4/55. One of these two also produces an error when run.

The working attachment (according to this Malwr report and Hybrid Analysis report) downloads a malicious binary from:

bjdennehy.ie/~upload/89u87/454sd.exe

This has a VirusTotal detection rate of 3/54. Automated analysis tools [1] [2] [3] [4] show malicious traffic to:

94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
103.252.100.44 (PT. Drupadi Prima, Indonesia)
89.108.71.148 (Agava Ltd, Russia)
91.223.9.70 (Elive Ltd, Ireland)
41.136.36.148 (Mauritius Telecom, Mauritius)
185.92.222.13 (Choopa LLC, Netherlands)
42.117.2.85 (FPT Telecom Company, Vietnam)
195.187.111.11 (Szkola Glowna Gospodarstwa Wiejskiego, Poland)
37.128.132.96 (Memset Ltd, UK)
37.99.146.27 (Etihad Atheeb Telecom Company, Saudi Arabia)
41.38.18.230 (TE Data, Egypt)
89.189.174.19 (Sibirskie Seti Novokuznetsk, Russia)
122.151.73.216 (M2 Telecommunications Group Ltd, Australia)
185.87.51.41 (Marosnet Telecommunication Company LLC, Russia)
217.197.159.37 (NWT a.s., Czech Republic)
41.56.123.235 (Wireless Business Solutions, South Africa)
91.212.89.239 (Uzinfocom, Uzbekistan)

MD5s:
495d47eedde6566a12b74c652857887e
182db9fc18c5db0bfcb7dbe0cf61cae5
177948c68bc2d67218cde032cdaf1239
07c90e44adcf8b181b55d001cd495b7f

Recommended blocklist:
94.73.155.12
103.252.100.44
89.108.71.148
91.223.9.70
41.136.36.148
185.92.222.13
42.117.2.85
195.187.111.11
37.128.132.96
37.99.146.27
41.38.18.230
89.189.174.19
122.151.73.216
185.87.51.41
217.197.159.37
41.56.123.235
91.212.89.239

Malware spam: "INTUIT QB" / "QUICKBOOKS ONLINE [qbservices@customersupport.intuit.com]" leads to ransomware

This fake Intuit QuickBooks spam leads to malware:

From:    QUICKBOOKS ONLINE [qbservices@customersupport.intuit.com]
Date:    30 November 2015 at 10:42
Subject:    INTUIT QB

As of November 5th, 2015, we will be updating the browsers we support. We encourage you to upgrade to the latest version for the best online experience. Please proceed the following link, download and install the security update for all supported browsers to be on top with INTUIT online security!

InTuIT. | simplify the business of life

© 2015 Intuit Inc. All rights reserved. Intuit and QuickBooks are registered trademarks of Intuit Inc. Terms and conditions, features, support, pricing, and service options subject to change without notice.

The spam is almost identical to this one which led to Nymaim ransomware.

In this particular spam, the email went to a landing page at updates.intuitdataserver-1.com/sessionid-7ec395d0628d6799669584f04027c7f6 which then attempts to download a fake Firefox update.

This executable has a VirusTotal detection rate of 3/55, the MD5 is 592899e0eb3c06fb9fda59d03e4b5b53. The Hybrid Analysis report shows the malware attempting to POST to mlewipzrm.in which is multihomed on:

89.163.249.75 (myLoc managed IT AG, Germany)
188.209.52.228 (BlazingFast LLC, Ukraine / NForce Entertainment, Romania)
95.173.164.212 (Netinternet Bilgisayar ve Telekomunikasyon San. ve Tic. Ltd. Sti., Turkey)

The nameservers for mlewipzrm.in are NS1.REBELLECLUB.NET and NS2.REBELLECLUB.NET which are hosted on the following IPs:

210.110.198.10 (KISTI, Korea)
52.61.88.21 (Amazon AWS, US)

These nameservers support the following malicious domains:

exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net

The download location uses a pair of nameservers, NS1.MOMEDEFER.PW and NS1.PRIZEBROCK.PW. If we factor in the NS2 servers as well, we get a set of malicious IPs:

5.135.237.209 (OVH, France)
196.52.21.11 (LogicWeb, US / South Africa)
75.127.2.116 (Foroquimica SL / ColoCrossing, US)

These nameservers support the following malicious domains:

browsersecurityupdates.com
intuit-browsersecurity.com
intuit-browserupdate.com
intuitdataserver.com
intuitdataserver1.com
intuitdataserver-1.com
intuitinstruments.com
intuit-security.com
intuitsecuritycenter.com
intuitsecurityupdates.com
intuit-securityupdates.com
intuit-updates.com
intuitupdates-1.com
security-center1.com
securitycentral1.com
securitycentral-1.com
securityserver-2.com
securityupdateserver-1.com
updates-1.com
updateserver-1.com

As far as I can tell, these domains are hosted on the following IPs:

52.91.28.199 (Amazon AWS, US)
213.238.170.217 (Eksen Bilisim, Turkey)
75.127.2.116 (Foroquimica SL / ColoCrossing, US)

I recommend that you block the following IPs and/or domains:

52.91.28.199
213.238.170.217
5.135.237.209
196.52.21.11
75.127.2.116
210.110.198.10
52.61.88.21
89.163.249.75
188.209.52.228
95.173.164.212
mlewipzrm.in
exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net
browsersecurityupdates.com
intuit-browsersecurity.com
intuit-browserupdate.com
intuitdataserver.com
intuitdataserver1.com
intuitdataserver-1.com
intuitinstruments.com
intuit-security.com
intuitsecuritycenter.com
intuitsecurityupdates.com
intuit-securityupdates.com
intuit-updates.com
intuitupdates-1.com
security-center1.com
securitycentral1.com
securitycentral-1.com
securityserver-2.com
securityupdateserver-1.com
updates-1.com
updateserver-1.com
momedefer.pw
prizebrock.pw