Dynamoo's Blog

Friday 15 January 2016

Malware spam FAIL: "Reservation Confirmation Number79501" / reservations@draytonmanorhotel.co.uk

This fake hotel reservation is meant to have a malicious attachment, but it is corrupt and you cannot download it.

From     [reservations@draytonmanorhotel.co.uk]
Date     Fri, 15 Jan 2016 16:21:55 +0530
Subject     Reservation Confirmation Number79501

We are pleased to confirm the attached booking at Drayton Manor Hotel.

Should you have any queries, please do not hesitate to contact us. We look
forward to welcoming you to Drayton Manor Hotel.

Kind Regards

Harry Ashbolt
Reservations

The attachments (in the format uk_conf_email_2012_dmh562810.xls) appear to be corrupt because of an error in the MIME attachment in the email, so they will either be zero length or appear to be garbage. I haven't seen any non-corrupt versions of the attachment at all. This is the second corrupt Dridex spam run today (this is the other one).

A source tells me that when repaired, the documents attempt to download a malicious binary from:

hotyo.1pworks.com/786585d/08g7g6r56r.exe
members.chello.nl/~h.pot2/786585d/08g7g6r56r.exe
w04z5e8ry.homepage.t-online.de/786585d/08g7g6r56r.exe

The payload is the same one as found here with a detection rate of 6/55. I would recommend blocking the IPs I mentioned in that post too.

Malware spam: "Scanned image from MX-2640N" / cm_sharpscan@yahoo.co.uk

This fake document spam is meant to have a malicious attachment, but all the versions I have seen are corrupt.

From:    cm_sharpscan@yahoo.co.uk
Date:    15 January 2016 at 10:12
Subject:    Scanned image from MX-2640N

Reply to: cm_sharpscan@yahoo.co.uk [cm_sharpscan@yahoo.co.uk]
Device Name: Not Set
Device Model: MX-2640N
Location: Not Set

File Format: DOC (Medium)
Resolution: 200dpi x 200dpi

Attached file is scanned image in Microsoft Word format.

The attachment is meant to be in the format username@domain.tld_201601151152_097144.doc but due to an apparent error in the MIME formatting, saving it results in a file in the format _username@domain.tld_201601151152_097144.doc_ 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7_CQAGAAAAAAAAAAAAAAACAAAAKgAAAAAA.doc_0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7_CQAGAAAAAAAAAAAAAAACAAAAKgAAAAAA instead

The next problem for the bad guys is that they have added a leading space to the Base 64 encoded section with the attachment in. This means that unless the mail client somehow fixes the error, the attachments are harmless (VirusTotal results [1] [2] [3] [4]).

Now, not many people are going to wade in and fix the malicious attachments, but I did and I got three unique files (VirusTotal results [1] [2] [3]).

Analysis of these documents is pending, but the payload is probably meant to be the Dridex banking trojan.

UPDATE

I managed to coax a Hybrid Analysis of two of the documents [1] [2] showing download locations of:

nasha-pasika.lviv.ua/786585d/08g7g6r56r.exe
arm.tv/786585d/08g7g6r56r.exe

This executable is the same one dropped in this spam run. It currently has a VirusTotal detection rate of 6/54.

Ironically, that Ukrainian site is on 91.217.91.18 (PE Ivanov Vitaliy Sergeevich, Ukraine) and it is the only time I have seen a legitimate site in the block.. and it has been hacked. In any case, I would recommend blocking the entire 91.217.90.0/23, legitimate sites or not.

Those two Hybrid Analysis reports give a whole bunch of callback IPs between them:

88.208.35.71 (Advanced Hosters B.V., NL)
216.117.130.191 (Internet Technologies Inc., US)
116.12.92.107 (Lanka Comunication Services, Sri Lanka)
46.32.243.144 (Heart Internet VPS, UK)
195.96.228.199 (Bulgarian Academy Of Sciences, Bulgaria)
161.53.144.25 (Veleuciliste U Sibeniku, Croatia)
41.38.18.230 (TE Data, Egypt)

Despite the fact that the attachments aren't working, I would expect to see those IPs in use for other badness and I would recommend blocking them.

Recommended blocklist:
88.208.35.71
216.117.130.191
116.12.92.107
46.32.243.144
195.96.228.199
161.53.144.25
41.38.18.230

Malware spam: "Your order #7738326 From The Safety Supply Company" / Orders - TSSC [Orders@thesafetysupplycompany.co.uk]

This fake financial spam does not come from The Safety Supply Company but is instead a simple forgery with a malicious attachment:

From:    Orders - TSSC [Orders@thesafetysupplycompany.co.uk]
Date:    15 January 2016 at 09:06
Subject:    Your order #7738326 From The Safety Supply Company

Dear Customerl

Thank you for your recent purchase.

Please find the details of your order through The Safety Supply Company attached to this email.

Regards,

The Sales Team

So far I have seen just a single sample, with an attachment Order.doc which has a VirusTotal detection rate of 4/55. Analysis of this document is pending, however it is likely to be the Dridex banking trojan.

UPDATE 1

This Hybrid Analysis on the first sample shows it downloading from:

149.156.208.41/~s159928/786585d/08g7g6r56r.exe

That download IP belongs to Academic Computer Centre CYFRONET AGH, Poland. This executable also seems to commicate with:

216.117.130.191 (Advanced Internet Technologies Inc., US)
41.38.18.230 (TE Data, Egypt)
5.9.37.137 (Hetzner, Germany)

I have now seen another version of the DOC file [VT 4/54] which has similar characteristics.

Dropped file MD5:
9138e36d70ab94349558c61e92ab9ae2

Attachment MD5s:
d5a25f10cb91e0afd00f970cee7c5f01
985bb69a8c292d90a5bd51b3dbec76ac

UPDATE 2

This related spam run gives some additional download locations:

nasha-pasika.lviv.ua/786585d/08g7g6r56r.exe
arm.tv/786585d/08g7g6r56r.exe

Sources also tell me that there is one at:

204.197.242.166/~topbun1/786585d/08g7g6r56r.exe

Recommended blocklist:
88.208.35.71
216.117.130.191
116.12.92.107
46.32.243.144
195.96.228.199
161.53.144.25
41.38.18.230
204.197.242.166
149.156.208.41

Thursday 14 January 2016

Malware spam: "Message from local network scanner" / Scann16011310150.docf

This fake document scan comes with a malicious attachment.

From:    jpaoscanner@victimdomain.tld
Date:    14 January 2016 at 10:45
Subject:    Message from local network scanner

There is no body text, and the email appears to come from within the victim's own domain, but this is just a simple forgery.

Attached is a file Scann16011310150.docf which comes in at least five different versions (VirusTotal results [1] [2] [3] [4] [5]). The file is a Word document, despite the extension.. I don't think anything opens DOCF files by default. This is maybe an error, or perhaps some sort of social engineering, or perhaps simply a way to bypass security filters.

Analysis of these documents is pending (check back later), however this is likely to be the Dridex banking trojan. Please check back.

UPDATE 1

Analysis is running slowing this morning, however this Hybrid Analysis shows one of the samples in action, downloading a binary from:

www.willsweb.talktalk.net/786h5g4/9787g4fr4.exe

This has a detection rate of 3/55. That same analysis reports that it phones home to:

188.138.88.14 (PlusServer AG, France)

I strongly recommend that you block traffic to that IP.

UPDATE 2

These two Malwr reports [1] [2] reveal some additional download locations:

www.gooutsidethebox.net/786h5g4/9787g4fr4.exe
199.59.58.162/~admin1/786h5g4/9787g4fr4.exe

Wednesday 13 January 2016

Malware spam: "Order 0046/033777 [Ref. MARKETHILL CHURCH]" / "JOHN RUSSELL [John.Russell@yesss.co.uk]"

This fake financial spam does not come from Yesss Electrical but is instead a simple forgery with a malicious attachment:

From     JOHN RUSSELL [John.Russell@yesss.co.uk]
Date     Wed, 13 Jan 2016 20:11:43 +0600
Subject     Order 0046/033777 [Ref. MARKETHILL CHURCH]

John Russell
Branch Manager

Yesss Electrical
44 Hilsborough Old Road
Lisburn
BT27 5EW

T: 02892 606 758
M: 07854362314
F: 02892 606 759
E: John.Russell@yesss.co.uk

[EW Award winner 2015]
[Electrical Times Award winner 2014]
[EW Award winner 2014]
[YESSS gains all three BSI industry standards]
[Order a YESSS Book NOW!]
[Our YESSS motto]
[Visit the YESSS website]      [Visit the YESSS Facebook
page]       [Visit the YESSS Twitter page]
[Visit the YESSS Youtube page]
[Visit the YESSS Linkedin page]
[Visit the YESSS Pinterest page]

There are at least five different versions of the attachment 033777 [Ref. MARKETHILL CHURCH].doc (VirusTotal results [1] [2] [3] [4] [5]). Analysis of these documents is pending, however it is likely to be the Dridex banking trojan.

UPDATE

These Malwr reports [1] [2] [3] [4] [5] indicate the macro in the document downloads from one of the following locations:

amyzingbooks.com/l9k7hg4/b4387kfd.exe
webdesignoshawa.ca/l9k7hg4/b4387kfd.exe
powerstarthosting.com/l9k7hg4/b4387kfd.exe

This binary has a detection rate of 4/53. The Hybrid Analysis shows the malware phoning home to:

85.25.200.103 (PlusServer AG, Germany)

I recommend that you block traffic to that IP.

Malware spam: "EDI Remittance Alert (BACS-E18020)"

This fake financial spam comes with a malicious attachment:

From:    Clare Clements
Date:    13 January 2016 at 15:05
Subject:    EDI Remittance Alert (BACS-E18020)

Hi!

Please find attached EDI BACS Remittance NO. E18020

Regards,

Clare Clements

So far I have seen just one sample of this spam, and it was malformed so it was not possible to open the attachment without decoding it first. When done, this gave a file FILENAME.DOC with a detection rate of 3/54. The Malwr report for the document is inconclusive, but it most likely attempts to load the Dridex banking trojan.

Malware spam: "Martine Hill [mhill@riverford.co.uk]" / "INV 30/12/15"

This fake financial spam does not come from Riverford Organic Farms Ltd but is instead a simple forgery with a malicious attachment:

From:    Martine Hill [mhill@riverford.co.uk]
Date:    13 January 2016 at 09:17
Subject:    INV 30/12/15

Kind regards
Martine Hill
Finance Assistant

Bank details
Sort code 30 98 69
Account no 00849096

Riverford Organic Farms
01803 227323

image001

Riverford Organic Farms Ltd, Wash Barn, Buckfastleigh, TQ11 0JU
Registered in England No. 3731570

Attached is a file ROV_Report.doc which I have seen just a single variant of, this a VirusTotal detection rate of 2/55. The Malwr report indicates that the payload is identical to the one found in this spam run.

Malware spam: "Scanned Document" / "Color @ MRH Solicitors [color58@yahoo.co.uk]"

This fake scanned document has a malicious attachment:

From:    Color @ MRH Solicitors [color58@yahoo.co.uk]
Date:    13 January 2016 at 07:53
Subject:    Scanned Document

Find the attachment for the scanned Document

The attached file is named ScannedDocs122151.xls which comes in at least five different versions (VirusTotal results [1] [2] [3] [4] [5]). The Malwr reports for these documents [6] [7] [8] [9] [10] show the malicious macro contained within downloading a malware executable from:

armandosofsalem.com/l9k7hg4/b4387kfd.exe
trinity.ad-ventures.es/l9k7hg4/b4387kfd.exe
188.226.152.172/l9k7hg4/b4387kfd.exe

This dropped binary has a detection rate of 4/55. It is unclear what this does as in the Malwr report it throws an error. The payload is almost definitely the Dridex banking trojan, and even if this version is faulty then it is likely that the malware will be fixed shortly.

Dropped file MD5:
a8a42968a9bb21bd030416c32cd34635

Attachment MD5s:
bc207bf8ad4c2dae92af9d333ca21346
829036f46897feed35381741d5b3872e
0fcc9eb9af29b5525b30d53755a413d9
e61abe8ad3d7f8b6bcf010ea6b51c0e3
29fe81a081127fa55fbab0ae1accaf05

UPDATE

The Hybrid Analysis of the dropped binary shows attempted network traffic to the following domains:

exotelyxal.com
akexadyzyt.com
ekozylazal.com

These are hosted on an IP worth blocking:

158.255.6.128 (Mir Telematiki Ltd, Russia)

Tuesday 12 January 2016

Malware spam: "Sales Invoice SIN040281. From Charbonnel et Walker Limited" / "Corinne Young [corinne.young@charbonnel.co.uk]"

This fake financial email does not come from Charbonnel et Walker Limited but is instead a simple forgery with a malicious attachment.

From:    Corinne Young [corinne.young@charbonnel.co.uk]
Date:    12 January 2016 at 10:42
Subject:    Sales Invoice SIN040281. From Charbonnel et Walker Limited

Kind Regards

Corinne Young
Assistant Accountant

Charbonnel et Walker Ltd, Medway Road, Tunbridge Wells, TN1 2FD
Tel: +44 (0)1892 559019 Fax: +44 (0)1892 559015

An error in the way the spam is formatted gives an attachment that appears to be named "SIN040281.DOC (note the leading quote marks) which will save on a Windows system as _SIN040281.DOC. I have only seen one variant of this attachment with a detection rate of 6/55 and for which the Malwr report indicates that this is the Dridex banking trojan (botnet 220) as described here.

Malware spam: "Copy of our CREDIT NOTE number 00000962064" / "SANTAN [sfernandes@simplesimon.co.uk]"

This fake financial spam has a malicious attachment:

From:    SANTAN [sfernandes@simplesimon.co.uk]
To:    POLLY [olga@bayley-sage.co.uk]
Date:    12 January 2016 at 10:55
Subject:    Copy of our CREDIT NOTE number 00000962064

This message contains 1 pages in Microsoft Word format.

Both the "From" and "To" fields are fake. Attached is a document fax00065189.doc that I have seen two versions of (VirusTotal results [1] [2]). The Malwr reports for those two files [3] [4] show that this is trying to deliver the Dridex banking trojan, as described here.

Malware spam: "Payment Advice - 0002014343" / Bhavani Gullolla [bhavani.gullolla1@wipro.com]

This fake financial spam is not from Wipro but is instead a simple forgery with a malicious attachment.

From:    Bhavani Gullolla [bhavani.gullolla1@wipro.com]
Date:    12 January 2016 at 09:51
Subject:    Payment Advice - 0002014343

Dear Sir/Madam,

This is to inform you that we have initiated the electronic payment through our Bank.
Please find attached payment advice which includes invoice reference and TDS deductions if any.

Transaction Reference :
Vendor Code :9189171523
Company Code :WT01
Payer/Remitters Reference No :63104335
Beneficiary Details :43668548/090666
Paymet Method : Electronic Fund Transfer
Payment Amount :1032.00
Currency :GBP
Processing Date :11/01/2016

For any clarifications on the payment advice please mail us at wipro.vendorhelpdesk@wipro.com OR
call Toll Free in India 1800-200-3199 between 9:00 am to 5:00 pm IST (Mon-Fri) OR contact person indicated in the purchase order.

Regards,
VHD Signature
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com

The attachment is randomly-named in the format 9705977867.doc which I have seen in two different versions with detection rates of 5/54 [1] [2], and according to the Malwr reports [3] [4] they both download a malicious binary from:

hotpointrepair.info/u5y4g3/76u54g.exe

This download location is characteristic of the Dridex 220 botnet. The downloaded binary has a detection rate of 4/55 and this Malwr report shows network traffic to:

199.231.189.9 (Interserver Inc, US)

I strongly recommend that you block this IP address.

Payload MD5:
b3d8604fee5ae6091928486c1fb11625

Attachment MD5s (there are probably others!)
3a73b39a8f84f96d8f9c19b4b88080c7
8fa6a1d7daebb9244db8458d99a45b38

UPDATE

There is an additional download location of:

per-forms.com/u5y4g3/76u54g.exe

The payload has changed but still has similar characteristics to before [VirusTotal report / Malwr report].

Payload MD5:
aaf2070192032e4e4cde5e16d0d7fcce

Malware spam: "Lattitude Global Volunteering - Invoice - 3FAAB65"

This fake financial spam comes from random senders and with different reference details. It does not come from Lattitude Global Volunteering but is instead a simple forgery with a malicious attachment.

From:    Darius Green
Date:    12 January 2016 at 09:33
Subject:    Lattitude Global Volunteering - Invoice - 3FAAB65

Dear customer,

Please find attached a copy of your final invoice for your placement in Canada.

This invoice needs to be paid by the 18th January 2016.

Due to recent increases on credit card charges, we prefer that you make a payment for your invoice on a bank transfer our bank details are.

You must provie your invoice number or account reference when you make the payment in order for us to allocate the payment to your account.

Account Name: Lattitude Global Volunteering
Bank:                        Barclays Bank
Sort Code:              20-71-03
Account No.           20047376
IBAN:                        GB13BARC20710320047376
SWIFBIC:                  BARCGB22

Kind regards

Luis Robayo
Accounts Department
Lattitude Global Volunteering
T: +44 (0) 118 956 2903
finance@lattitude.org.uk
WWW.lattitude.org.uk

Visit us on Facebook
Follow us on Twitter

Lattitude Global Volunteering is a UK registered international youth development charity (No. 272761), a company limited by guarantee (No. 01289296) and a member of BOND (British Overseas NGOs for Development).

I have personally only seen two samples so far with detection rates of 2/55 [1] [2] . These two Malwr reports [3] [4] plus some private sources indicate that the attachments download from the following locations:

31.131.20.217/shifaki/indentification.php
185.125.32.39/shifaki/indentification.php
5.34.183.41/shifaki/indentification.php
5.149.254.84/shifaki/indentification.php

This is characteristic of spam sent by the Dridex 120 botnet. All the IPs can be considered to be malicious and should be blocked.

31.131.20.217 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
185.125.32.39 (Sembol Internet Hizmetleri ve Dis Ticaret Ltd, Turkey)
5.34.183.41 (ITL Company, Ukraine)
5.149.254.84 (Fortunix Networks, Netherlands)

A file kfc.exe is dropped onto the target system which has a detection rate of 6/52 and an MD5 of 8cfaf90bf572e528c2759f93c89b6986. Those previous Malwr reports indicate that it phones home to a familiar IP of:

78.47.119.93 (Hetzner, Germany)

Recommended blocklist:
78.47.119.93
31.131.20.217
185.125.32.39
5.34.183.41
5.149.254.84

Monday 11 January 2016

Malware spam: "Invoice No 39830 from CHEVRON ALARMS LTD A/C LA 6130AD38"

This fake invoice comes with a malicious attachment:

From:    Tracy Simpson
Date:    11 January 2016 at 12:56
Subject:    Invoice No 39830 from CHEVRON ALARMS LTD A/C LA 6130AD38

Please ensure that you keep us informed of any changes in your Bank Account details as you may need to set up a new Direct Debit mandate.

If you no longer wish to continue payment via Direct Debit after the minimum term of 12 months has elapsed then Payments can also be made via our website www.chevronalarms.com, click on payments tab and choose to make a payment via PayPal. Please quote the Invoice number 39830 and your Account Number LA MOT01.

Alternatively you can call the office on    01784 438822 and pay directly by Debit or Credit Card.

Please note that we make no additional charge for payment by Visa or MasterCard Credit or Debit cards, however there will be a 4% handling charge if payment is made via American Express.

Bank Payments may also be made to HSBC Bank PLC - Egham Branch
Sort Code 40-20-34
Account 6130AD38
Please quote reference 39830

Kind regards

Chevron Alarms

Tel: 01784 438822

Fax: 01784 438970

Email: service@chevronalarms.com

Chevron Alarms
Unit 10, Eversley Way, Thorpe Industrial Estate, Egham, Surrey, TW20 8RG

Registered in England: Registration No. 6143385, VAT No. 4388019 32

There are several different versions with different attachment, with low detection rates [1] [2] [3] and the Malwr reports [4] [5] [6] indicate that this is the same Dridex banking trojan as described here.

Malware spam: "We are processing your PC WORLD order (PCW1521248708)"

I've had several of these fake PC World emails get stuck in my spam trap. I don't have the body text, but the attachment is malicious.

From     PC World [no_reply@pcworld.co.uk]
Date     Mon, 11 Jan 2016 15:30:38 +0300
Subject     We are processing your PC WORLD order (PCW1521248708)

Attached is a file 102836144.doc which comes in a single version with a detection rate of 3/55. Analysis is pending, however the payload is like to be the same as with these two spam runs [1] [2].

Malware spam: "Invoice-11JAN15-53771728-GB"

This rather generic looking spam email leads to malware:

From:    Raleigh Frazier [FrazierRaleigh8523@amnet.net.au]
Date:    11 January 2016 at 11:20
Subject:    Invoice-11JAN15-53771728-GB

Dear Customer,

Please find attached Invoice 53771728 for your attention.

Should you have any Invoice related queries please do not hesitate to
contact either your designated Credit Controller or the Main Credit Dept. on
02051 2651180.

For Pricing or other general enquiries please contact your local Sales Team.

Yours Faithfully,

Credit Dept'

The name of the sender, references and attachment name varies. There are at least three different variations of the attachment, probably more. Detection rates are approximately 2/55 [1] [2] [3] and these Malwr reports [4] [5] [6] indicate that the behaviour is very similar to the one found in this spam run.

Malware spam: "Kaseya Invoice - 1ED0C068"

This fake financial email has a malicious attachment:

From:    Terry Cherry
Date:    11 January 2016 at 10:48
Subject:    Kaseya Invoice - 1ED0C068

Dear Accounts Payable,

Thank you for your purchase of Kaseya Licenses. Attached please find our invoice for your purchase under the K2 Software Catalog.

Our bank details for wire transfer are included on the attached invoice.

Should you wish to submit payment via credit card, please contact our customer service department (billing-cs@kaseya.com) for assistance with adding card details through our portal.

Please do not hesitate to let us know if you have any questions.

Thanks again for your patronage.

Sincerely,
Terry Cherry
Kaseya Customer Invoicing

Corporate: +1.415.694.5700 X4946
Email: CherryTerry66644@nyoda.com

The sender's name, references and attachments may vary. This appears to be a spam from Dridex 120, and it is a characteristic that there is a very large number of variants of the attachments. In this case, I analysed three different attachments with detection rate of about 2/55 [1] [2] [3] and which according to these Malwr reports [4] [5] [6], downloads a binary from the following locations:

5.189.216.10/montana/login.php
77.246.159.154/montana/login.php
109.234.39.40/montana/login.php

All of these IPs should be considered to be malicious:

5.189.216.10 (LLHost Inc, Netherlands)
77.246.159.154 (JSC Server, Russia)
109.234.39.40 (McHost.ru, Russia)

A binary named trap.exe with an MD5 of aab74722020e631147836fc009f9419d and a detection rate of 5/54 is downloaded. According to this Malwr report the executable phones home to:

78.47.119.93 (Hetzner, Germany)

The payload is the Dridex banking trojan.

Recommended blocklist:
78.47.119.93
5.189.216.10
77.246.159.154
109.234.39.0/24

Malware spam: "E-Service (Europe) Ltd Invoice No: 10013405" / "Andrew Williams [andrew.williams@eurocoin.co.uk]"

This fake financial spam does not come from E-Service (Europe) Ltd but is instead a simple forgery with a malicious attachment:

From     Andrew Williams [andrew.williams@eurocoin.co.uk]
Date     Mon, 11 Jan 2016 17:07:38 +0700
Subject     E-Service (Europe) Ltd Invoice No: 10013405

Dear Customer,

Please find your invoice attached from E-Service (Europe) Ltd. We kindly ask you
to make payment for all transactions on or before their due date.

Please contact E-Service (Europe) if you have any issues or queries preventing your
prompt payment on:

Tel (44) 01707 280000
Email: accounts@e-service.co.uk
Or logon and register to access your customer portal where you can view all historic
orders & transactions on www.e-service.co.uk

PLEASE NOTE NEW E-SERVICE (EUROPE) BANK DETAILS:

Currency        A/C No.         Sort Code         Swift Code      IBAN No.

GBP               21698613         40-04-37         MIDLGB22            GB48MIDL40043721698613
EUR               71685997         40-05-15         MIDLGB22           GB75MIDL40051571685997

Kind regards

E-Service (Europe) Accounts Team

E-Service have been exceptionally quick about posting an update on their Twitter page. However, they have not been hacked at all as it is trivially easy to forge an email message. The attachment is a malicious Excel spreadsheet which leads to the Dridex banking trojan.

So far, I have seen five different versions of the attachment, all named Invoice 10013405.XLS and with detection rates of about 8/55 [1] [2] [3] [4] [5]. Analysis of the attachments is pending, please check back later.

UPDATE

The Malwr reports for the attachment [1] [2] [3] [4] [5] show that the macro in the spreadsheet downloads a file from the following locations:

arellano.biz/5fgbn/7tfr6kj.exe
pastorsschoolinternational.org/5fgbn/7tfr6kj.exe
www.c0-qadevtest.net/5fgbn/7tfr6kj.exe

This dropped file has a detection rate of 1/55. It is the same binary as found in this earlier spam run which phones home to:

114.215.108.157 (Aliyun Computing Co, China)

This is an IP that I strongly recommend blocking.

Dropped file MD5:
3d59b913f823314ca85839b60a9d563a

Attachment MD5s:
0a4cf4956f7725cc48809bf19759371c
b1bbced1425bcba77735017f6da21659
8f2803bb7564e85e4a5db6c877067a9f
295fe8083a872b9c3edf4439f3a00c67
9440167e49553f2a1d8aa1e38752e497

Malware spam: "Your latest invoice from UKFast No.1228407" / UKFast Accounts [accounts@ukfast.co.uk]

This fake financial spam does not come from UKFast but is instead a simple forgery with a malicious attachment.

From     UKFast Accounts [accounts@ukfast.co.uk]
Date     Mon, 11 Jan 2016 11:00:10 +0300
Subject     Your latest invoice from UKFast No.1228407

I am unable to determine what the body text is at the moment. In this case, the attachment was named Invoice-1228407.doc and has a VirusTotal detection rate of 3/54. The Malwr report shows that the malicious macro [pastebin] downloads an executable from:

www.vmodal.mx/5fgbn/7tfr6kj.exe

This binary has a detection rate of 2/54 and an MD5 of 3d59b913f823314ca85839b60a9d563a. This Malwr report for the dropped file indicates network traffic to:

114.215.108.157 (Aliyun Computing Co, China)

I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan.

Friday 8 January 2016

Malware spam: "Invoice from DSV 723A36B7 , ARIA (U K) LTD, 04995672, Customer ref: ALEX MUNRO, SE/GB"

This fake financial spam is not from DSV Road Limited but is instead a simple forgery with a malicious attachment.

From:    Hoyt Fowler
Date:    8 January 2016 at 10:49
Subject:    Invoice from DSV 723A36B7 , ARIA (U K) LTD, 04995672, Customer ref: ALEX MUNRO, SE/GB
Invoice/Creditnote no.: 723A36B7

Total Amount:   GBP 60,00

Due Date:               28.01.2016

If you have any questions to this invoice/creditnote please contact the person written in the upper right corner of the invoice.
Please see attached document.

Best Regards
Hoyt Fowler
DSV Road Limited
Scandinavia House
Parkeston, Harwich
Essex, CO12 4QG No.3874882

Tel: 01255 242242
Registered in England
VAT No. GB759894254
Global Transport and Logistics

I have only seen a single sample of this email at present, but if consistent with other similar emails then details such as the sender's name and reference numbers will vary. In this case, the attachment was named INV-SE723A36B7.doc and had a VirusTotal detection rate of 1/55.

According to this Malwr report, the sample attempts to download a further component:

194.28.84.79/softparade/spanish.php

There will most likely be a couple of other download locations too (check back later for more). This IP address belongs to Hostpro in Ukraine. Those other locations are likely to be in Ukraine too.

A file named hram.exe is dropped onto to target system with a detection rate of 4/54. The Malwr report indicates that this communicates with:

78.47.119.93 (Hetzner, Germany)

This is a critical IP to block, as we also saw it in use yesterday. The payload is most likely the Dridex banking trojan.

UPDATE 1

A contact (thank you) let me know of two other download locations:

176.103.62.14/softparade/spanish.php
51.254.51.178/softparade/spanish.php

These are:

176.103.62.14 (PE Ivanov Vitaliy Sergeevich, Ukraine)
51.254.51.178 (OVH, France / Dmitry Shestakov, Russia)

Both those are pretty well-known providers of malware. I recommend that you block the entire /20 in the first instance and the blocks referenced here in the second.

MD5s:
5ab2a67268b3362802a13594edafbd2e
7d60996dd9293df5eecd07f33207aca8

Recommended blocklist:
78.47.119.93
194.28.84.79
176.103.48.0/20
51.254.51.176/30

UPDATE 2

An updated version of the payload is currently being spammed out as on 11.01.16, with a payload identical to this spam run.

Thursday 7 January 2016

Malware spam: "Close Invoice Finance Limited Statement 1/1"

This fake financial spam comes with a malicious attachment:

From:    Carey Cross
Date:    7 January 2016 at 11:35
Subject:    Close Invoice Finance Limited Statement 1/1

Dear Customer,

Please find attached your latest statement from Close Brothers Invoice Finance.

Your username is 05510/0420078
Your password should already be known to you.

If you have any queries please contact:

For Credit Control: creditcontrolqueriesCBIF@closebrothers.com

For login help: closloginhelp@netsend.biz

If you’re considering growing your business or are simply looking for support with cash flow, visit our website to see how we can help www.closeinvoice.co.uk/cashflow

Regards

Close Brothers Invoice Finance

The sernder's name will vary, as will the attachment name. I have only seen a single sample at the moment with a detection rate of 2/54. Functionally, the payload is identical to that found in this earlier spam run, and it drops the Dridex banking trojan.

Malware spam: "Invoice 01147665 19/12 £4024.80" / "Ibstock Group"

This fake financial spam is not from the Ibstock Group but instead contains a malicious attachment. It is closely related to this spam which was sent out earlier today.

From:    Amber Smith
Date:    7 January 2016 at 10:38
Subject:    Invoice 01147665 19/12 £4024.80

Hi,

Happy New Year to you !

Hope you had a lovely break.

Many thanks for the payment. There’s just one invoice that hasn’t been paid and doesn’t seem to have a query against it either.

Its invoice 01147665 19/12 £4024.80 P/O ETCPO 35094

Can you have a look at it for me please?

Thank-you !

Kind regards
Amber Smith
Credit Control
Finance Department
Ibstock Group
Supporting Ibstock, Ibstock-Kevington & Forticrete
-----------------------------------------------
( +44 (0)1530 257371
( VPN: 700 2371
6 +44 (0)1530 257379

The sender's name varies, as does the reference number which matches the name of the attachment. I have seen three unique samples so far (there are probably more) with VirusTotal detection rates of 2/54 [1] [2] [3] and the Malwr reports [4] [5] [6] show these documents communicating with:

193.201.227.12/ideal/jenny.php
91.223.88.205/ideal/jenny.php
176.103.62.108/ideal/jenny.php

IPs are allocated to:

176.103.62.108 (Ivanov Vitaliy Sergeevich, Ukraine)
91.223.88.205 (Private Person Anton Malyi, Ukraine)
193.201.227.12 (PE Tetyana Mysyk, Ukraine)

As before, a binary geroin.exe is dropped which communicates with:

78.47.119.93 (Hetzner, Germany)

The payload is the Dridex banking trojan. The recommended blocklist and sample MD5s can be found in this post.

Malware spam: "Your Latest Documents from Angel Springs Ltd [1F101177]"

This fake financial spam comes with a malicious attachment. The name of the sender varies, as does the reference number in the subject field that matches the attachment name.

From:    Leonor Stevens
Date:    7 January 2016 at 10:13
Subject:    Your Latest Documents from Angel Springs Ltd [1F101177]

Dear Customer,

Please find attached your latest document (s). You may have noticed that we have changed the way you receive your new attached documents from Angel Springs. Following feedback from our customers we've invested in upgrading our billing systems to make things a little easier for you.

Here's a few ways we've made it easier for you:

    Your new documents are now attached to your email. You don't have to follow a link now to get to your documents.

    Our customer portal has been upgraded to give you a clearer, simpler view of your documents and any outstanding invoices.

    You can simply and easily raise any queries you may have through the customer portal.

Please note: you may wish to save your documents on initial viewing. However, after your first viewing you will be able to access copy documents by simply clicking the link.

If you would like to discuss or have any queries in relation to any of the documents then please do not hesitate to contact us on 0845 230 9555 and we will be more than happy to assist you. Please do not reply to this email.

To see Angel Springs latest special offer that will save you money and help support Make a Wish, please click on the attached document

With Kind Regards,

Angel Springs Ltd

Yesterday I saw several spam runs similar to this coming from Dridex botnet 120. There are many, many variations of the attachment although I do not believe that they are uniquely-generated.

The three samples I have sent for analysis so far has VirusTotal detection rates of 2/55 [1] [2] [3] and the Malwr reports [4] [5] [6] show an initial communication with:

193.201.227.12/ideal/jenny.php
91.223.88.205/ideal/jenny.php
176.103.62.108/ideal/jenny.php
These IPs belong to:

176.103.62.108 (Ivanov Vitaliy Sergeevich, Ukraine)
91.223.88.205 (Private Person Anton Malyi, Ukraine)
193.201.227.12 (PE Tetyana Mysyk, Ukraine)

I note that 91.223.88.204 also hosts some bad things.. and the entire 176.103.48.0/20 block has a history of evil-ness [1] [2] [3].

Note that there are probably other download locations. Check back later if you are interested.

These malicious documents drop a binary geroin.exe which has a detection rate of 3/54. The Malwr report for this shows it phoning home to:

78.47.119.93 (Hetzner, Germany)

Binary MD5:
088724715613ff48edf090a74c8b6413

Attachment MD5s:
53521464ee6d70ec6c93f2e038e92651
3dfef23d2f6846133f1758dca675afd2
9bfadfe1c8dd23a0358c5ae4a6f7f465
a1c601351f865e5d9f8315ecc867971d
939aa6ebf02a338fab864690467909fa
1021f12f47d1d68e12d3e81ad6f44a92
30097bc5a0903db248252f3e01344b8b
25ae775c96146b4bfba1a88f755ccc20
c225905d94f1b3a0a1dae86109c80e51
617d676e09a74fa0fb099509a2f57ac8
fbb83ab6ae5a3ef2bac5f5ff549713b5
7d5b9851c8bc682ff621568cc648c9e6
3a4cb5fa7aa75afc72cef5709576f441
0b60bad71222d1fb091efeef6fa3524a
ed8f764742a827d23a56c439a0393448
1b93d2fcbe94d9a6e248ddf964078406
f37cfbead3e52549c7490a4aaf20e423
2ef9a2bb6e59c75cef3643700e054385
d167d52dfd4d69c7cf336abff6b71280
d1038a983442ce25535d707e9568b03b

Recommended blocklist:
176.103.48.0/20
91.223.88.204/30
78.47.119.93
193.201.227.12

Wednesday 6 January 2016

Malware spam: "Unilet Invoice 67940597"

This fake invoice seems to be a bit confused as to who is sending it. It has a malicious attachment.

From:    Desiree Doyle
Date:    6 January 2016 at 12:29
Subject:    Unilet Invoice 67940597

Hello,

Please find attached another invoice to pay please by BACS.

Thanks
Desiree Doyle
Accounts Department

-----Original Message-----
From: Desiree Doyle
Sent: 06 January 2016 12:30
To: Desiree Doyle
Subject: Scanned from a Xerox Multifunction Device

Please open the attached document. It was scanned and sent to you using a Xerox Multifunction Device.

Attachment File Type: pdf, Multi-Page

Multifunction Device Location: Melbury House-MG01
Device Name: 7225

For more information on Xerox products and solutions, please visit http://www.xerox.com

BU is a Disability Two Ticks Employer and has signed up to the Mindful Employer charter. Information about the accessibility of University buildings can be found on the BU DisabledGo webpages This email is intended only for the person to whom it is addressed and may contain confidential information. If you have received this email in error, please notify the sender and delete this email, which must not be copied, distributed or disclosed to any other person. Any views or opinions presented are solely those of the author and do not necessarily represent those of Bournemouth University or its subsidiary companies. Nor can any contract be formed on behalf of the University or its subsidiary companies via email.

The attachment has a random name in the format remit41071396.doc and I have seen three different versions with quite low detection rates [1] [2] [3]. The Malwr reports for these [4] [5] [6] indicate that it has the same behaviour as the spam documented here, dropping a file tsx.exe with an MD5 of fdd95b4cc10b536934486c7d3fdee04f.

Malware spam: "STA19778072 - BACS PAYMENT"

This fake financial spam comes with different sender names, reference details and attachment names. However, in all cases the attachment is malicious.

From:    Forrest Cleveland
Date:    6 January 2016 at 11:23
Subject:    STA19778072 - BACS PAYMENT

Importance: High

Hello,

Wasn’t sure who to email.

I don’t know if you have been asked but Statestrong Products Ltd are making one payment today for two cars. Could you let me know when it is in the account please as these are both collections tomorrow.

YG15XVK paid set up fee by card
£455.99 Incl vat rental
£500 deposit

DE64ZXM
£210 setup fee
£431.99 Incl vat rental
£500 deposit

Total - £2097.98

Thanks

Lorie

So far I have seen three different attachment variants (VirusTotal results [1] [2] [3]) and these Malwr reports [4] [5] [6] indicate the same general characteristics as this spam run. However in this case the dropped file tsx3.exe has been updated and the new version has a detection rate of 6/54. The Malwr report indicates very similar traffic to before.

Recommended blocklist:
94.158.214.45
78.47.119.93
2.61.168.116
37.46.130.53
179.60.144.21
195.191.25.138
109.234.34.224

Malware spam: "Payment notification from Third Energy Services Limited"

This fake financial email comes with a malicious attachment.

From:    Addie Caldwell
Date:    6 January 2016 at 10:31
Subject:    Payment notification from Third Energy Services Limited

Payment notification from Third Energy Services Limited

Third Energy Services Limited

Registered in England & Wales. Registered number: 85752524.
Registered office: 7th Floor. Portland House, Bressenden Place, London, UK, SW1E 5BH
Tel: 01944 759904 ot 0207 0420 800
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Third Energy. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone.
Please contact the sender if you believe you have received this email in error.

Addie

The sender's name varies. So far I have seen three different versions of the attachment (in the format remit85752524.doc or similar) with VirusTotal detection rates in the range of 2/54 [1] [2] [3] and the Malwr reports [4] [5] [6] show similar characteristics to this spam run plus this additional URL:

109.234.34.224/jasmin/authentication.php

This IP is allocated to McHost.RU in Russia and can be considered as malicious. The payload is unknown, but is possible Dridex.

Recommended blocklist:
94.158.214.45
78.47.119.93
2.61.168.116
37.46.130.53
179.60.144.21
195.191.25.138
109.234.34.224

Malware spam: "Invoice for IA20114520"

This fake financial spam comes with a malicious attachment. The sender's name, reference numbers and attachment names vary. It seems to be closely related to this spam run.

From:    Viola Carrillo
Date:    6 January 2016 at 09:53
Subject:    Invoice for IA20114520

To Whom It May Concern,

Please find attached an invoice relating to Penalty Charge Notice Number IA20114520 along with a copy of the contravention.

In order to prevent this fine from escalating further we have paid this fine on your behalf. Should you have any queries concerning these charges please don’t hesitate to contact me.

Payment for this invoice will be taken by Direct Debit 9 working days from the date of this email.

Please refer to page 2, point 3.6 in your Terms and Conditions for information on Traffic Offences.

I have seen two variants of the attachment (VirusTotal results [1] [2]) and these two Malwr reports [3] [4] indicate identical characteristics to the payload in this spam run which is also being sent out today.

Malware spam "Invoice-205611-49934798-CROSSHILL SF"

This fake financial spam has a malicious attachment. The sender's names, reference numbers and attachment names vary. Here is one example:

From:    Bertha Sherman
Date:    6 January 2016 at 09:29
Subject:    Invoice-205611-49934798-CROSSHILL SF

Dear Customer,

Please find attached Invoice 02276770 for your attention.

Should you have any Invoice related queries please do not hesitate to
contact either your designated Credit Controller or the Main Credit Dept. on
01635 279370.

For Pricing or other general enquiries please contact your local Sales Team.

Yours Faithfully,

Credit Dept'

I have seen at least four different attachments with names in a format similar to invoice40201976.doc (VirusTotal results [1] [2] [3] [4]). These Malwr reports [5] [6] [7] [8] show that the malware contained within POSTs to:

37.46.130.53/jasmin/authentication.php
179.60.144.21/jasmin/authentication.php
195.191.25.138/jasmin/authentication.php

Those reports also show communication to other suspect IPs, giving:

94.158.214.45 (Noviton Ltd , Russia)
78.47.119.93 (Hetzner, Germany)
2.61.168.116 (Sibirtelecom, Russia)
37.46.130.53 (JSC Server, Russia)
179.60.144.21 (Veraton Projects Ltd, Netherlands)
195.191.25.138 (Hostpro Ltd, Ukraine)

This Hybrid Analysis also shows similar characteristics.

The macro drops a file tsx3.exe with a detection rate of 7/55. The Malwr report doesn't give any particlar insight as to what this is, but it is likely to be a banking trojan or ransomware. UPDATE: this is Dridex (botnet 120 apparently), and thos the dropped file has been updated to this one.

There are two other similar spam campaigns at the same time [1] [2], one of which POSTs to a McHost.RU IP in Russia:

109.234.34.224/jasmin/authentication.php

MD5s (dropped EXE):
fdd95b4cc10b536934486c7d3fdee04f
613f5e4139e8006e9d47cb562450bc4a

MD5s (attachments):
06afdf7eaa3aa0d07b74c87c2c4bcede
11efa97e6091fa608596b463c9a20718
1574669aae13badc47b5c32927d22fb9
1988f8c864689bfd725e659e0815f032
27f891f6b0c0820492408022a860accc
37cc9d15f4eb5173e30ebff8ae6d44f6
37dd4e12541994d719d669ef7408b042
41faea2d8d7334a1e645cedf2a297344
42694176858ef65ababe87c8eee3679d
430eb4d6bc75b3743169aba0b5c368b9
5a5e5ac6d0e12215d79d2d321ac7a303
60cb6167675a908e9bba8957ece0947b
63abdef9d973b820f656642831ef6e07
7d190049c2354c18bd850d086d8c43c8
81697ef360e4abd09d96cd58bb1c7f01
82e06ae650e81e77879c5a33dba058b6
840b0d424b541d3649c33e8264632ba7
933f50bd87c02b67e122520022677aa6
a17b2fc61c64381ba5a2a154085ee6e7
a1958f55febde3b0fac15490f5e0ac6e
a43490f4c09e519d72296898343ab04f
ab41e3d7fa1e3d98a0bdec1e4086058a
b614c2f6f07620e53375c35efc692596
bc3142ce5e20814e98e582fa9b258501
cda4ba15eebc6ae3a9ab54610b38db04
d44c6490ab1c86adf9a99da1d173fc2f
d86f5160a0ea91bee70972e2bbf2c86d
e8bd65668d68410adacee9463eb1489e
ee70b032f96fb8f484019396aa130a55
ef4fd29b806675346661aec4907a14f7
f39fcd49bdbd7f100047594d8d7875b4
f65d8b3310f758c5d9c0f156d859125f
ff5f8da0f0d4c7e851dbf5c6d94fa0dc
Recommended blocklist:
94.158.214.45
78.47.119.93
2.61.168.116
37.46.130.53
179.60.144.21
195.191.25.138
109.234.34.224

Monday 4 January 2016

Evil network: 199.195.196.176/29 / Roman Alyabiev

199.195.196.176/29 is a small bunch of IPs hosting browser hijacker sites, belonging to Hosting Services, Inc. in Utah and suballocated to a customer.

Several domains are flagged by Google as leading to PUAs or malware [1] [2] [3] [4] [5] [6], and almost all those domains also have anonymous registrations.

However, the domain goforfiles.com does not have anonymous registration, and those details are:

Registry Registrant ID:
Registrant Name: Roman Alyabiev
Registrant Organization: Righway Technologies, Inc.
Registrant Street: 1740 H Dell Range Blvd #281
Registrant City: Cheyenne
Registrant State/Province:
Registrant Postal Code: 82009
Registrant Country: US
Registrant Phone: +1.3074590153
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: contact@goforfiles.com
Registry Admin ID:

There is no such company as "Righway Technologies, Inc" but the name Roman Alyabiev matches the records for the IP block:

network:Network-Name:Dedicated Server
network:IP-Network:199.195.196.176/29
network:IP-Network-Block:199.195.196.176 - 199.195.196.183
network:Org-Name:Alyabiev, Roman
network:Street-Address:pr. Molodeznoi 7 kv. 101
network:City:Kemerovo
network:State:
network:Postal-Code:650044
network:Country-Code:RU

A full list of sites currently or recently hosted in this block can be found here. The domains in use for browser hijacking are:

bestfiledownload.biz
dailyfiledownload.biz
down4load.biz
down-loader.biz
esurf.biz
fansfile.biz
filedatabase.biz
gofor-files.biz
go-for-files.biz
interarchive.biz
loadarchive.biz
lucky-tab.biz
retailfile.biz
sprintload.biz
usedfile.biz
worldfiledownload.biz
yourfiledownloader.biz
archievedownload.com
down4loader.com
downweb-loader.com
express-downloader.com
express-files.com
failsmail.com
filearchieve.com
foryourwebs.com
goforfiles.com
go-for-files.com
houmpage.com
realdown4load.com
safesurfs.com
simple-files.com
smile-file.com
smile-files.com
webdown-loader.com
yfdownloader.com
yorfiled.com
yourfdownloader.com
yourfiledl.com
yourfiledownloader.com
yourfile-downloader.com
yourwebing.com
archievedownload.net
down4loading.net
down4loadist.net
foryourweb.net
goforfiles.net
gofor-files.net
lucky-tab.net
thefailsmail.net
yfdownloader.net
yourfaild.net
yourfdownloader.net
yourfiledownloader.net
yourfile-downloader.net
your-home-page.net
yourwebing.net
goforfiles.org
lucky-browse.org
yourfiledownloader.org

Blocking 199.195.196.176/29 or monitoring traffic to it might detect infected hosts, that appear to have a bunch of per-per-install crapware and other stuff installed.

Wednesday 23 December 2015

Malware spam: "Christmas Industrial Decorating invoice-50473367)"

This fake invoice has a malicious attachment:

From:    Rachael Murphy
Date:    23 December 2015 at 13:05
Subject:    Christmas Industrial Decorating invoice-50473367)

Good afternoon,

Please find attached 1 invoice for processing.

Regards and Merry Christmas!

Rachael Murphy
Financial Manager

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.

The sender's name and reference number varies, the attachment is in the format invoice45634499.doc and it comes in at least three different versions (VirusTotal results [1] [2] [3]).

Analysis is pending, the payload is likely to be the Dridex banking trojan.

The payload appears to be the same as the one found in this spam run.

Link List

Sponsored by..