From: Companies House [noreply@companieshouses.co.uk]Unlike recent Locky spam runs, this TrickBot run has gone to a lot of effort to look authentic.
Date: 2 November 2016 at 11:51
Subject: Companies House - new company complaint
Signed by: companieshouses.co.uk
Investigations and Enforcement Services
This message has been auto-generated in response to the company complaint submitted to our WebFiling service.
The submission number is ID109202DLK02911
Please find the attached document for your review.
Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.
Crown Logo
Companies House
Crown Way
Cardiff
CF14 3UZ
Email enquiries@companies-house.gov.uk
Enquiries (UK) 0303 1234 500
International +44 303 1234 500
The Cardiff office is open 24 hours a day for the receipt of documents Contact Centre lines are open between 8.30am to 6pm (Monday to Friday)
The sender is either noreply@companies-house.me.uk or noreply@companieshouses.co.uk - both those domains have actually been registered by the spammers with fake WHOIS details:
Registrant:
Camell Williams
Registrant type:
Unknown
Registrant's address:
550 HOLTS LAKE CT STE 101
Suite 101
Apopka
Florida
32703
United States
Both those domains are close to the genuine one of companieshouse.gov.uk and because the email is digitally signed it might get past spam filters where normal botnet-sent spam wouldn't.
All the emails that I have seen have been sent via servers at 172.99.84.190 and 172.99.88.226 (a Rackspace customer apparently called OnMetal v2 IAD PROD). I recommend that you block email traffic from those IPs.
Attached is a Word document Complaint.doc (MD5 21AEA31907D50EE6F894B15A8939A48F) [VT 7/55] which according to this Hybrid Analysis downloads a binary from:
futuras.com/img/dododocdoc.exe
This is saved as sweezy.exe and has a detection rate of 7/57. At present that download location is down, probably due to exceeding bandwidth quota.
The Hybrid Analysis identifies several C2s which overlap with this TrickBot run from yesterday:
78.47.139.102 (Unknown customer of Hetzner, Germany)
91.219.28.58 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.107.111.164 (PP "Kremen Alliance", Ukraine)
193.124.177.117 (MAROSNET, Russia)
The uadomen.com IP ranges (as discussed yesterday) are a sea of badness and I recommend you block traffic to them.
Recommended blocklist:
78.47.139.96/28
91.219.28.0/22
193.9.28.0/24
193.107.111.164
193.124.177.117