Fake 'Payment', Fake DHL, Fake 'Notice to appear in Court' SPAM
FYI...
Fake 'Payment' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/paymen...sheet-malware/
25 Mar 2015 - "'Payment 1142' pretending to come from James Dudley <James.Dudley@ hitec .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Payment sheet attached.
James
T 01353 624023
F 01353 624043
E james.dudley@ hitec .co.uk
Hitec Ltd
23 Regal Drive
Soham
Ely
Cambs
CB7 5BE
This message has been scanned for viruses and malicious content by Green Duck SpamLab
25 February 2015 : Payment 1142.doc - Current Virus total detections: 2/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1427270267/
- http://blog.dynamoo.com/2015/03/malw...es-dudley.html
25 Mar 2015 - "This spam email is yet another forgery pretending to be from a wholly legitimate company. It is one of a series of emails spoofing Cambridgeshire firms, and it comes with a malicious attachment.
From: James Dudley [James.Dudley@ hitec .co.uk]
Date: 25 March 2015 at 09:38
Subject: Payment 1142
Payment sheet attached.
James
T 01353 624023
F 01353 624043
Hitec Ltd
23 Regal Drive
Soham
Ely
Cambs
CB7 5BE
This message has been scanned for viruses and malicious content by Green Duck SpamLab
I have only seen a single sample of this, with an attachment Payment 1142.doc which has a VirusTotal detection rate of 5/57*. It contains this malicious macro... which attempts to download a component from:
http ://madasi.homepage .t-online .de/dbcfg/32.exe
..which is then saved as %TEMP%\sollken1.2.8.exe, this has a detection rate of 12/57**. Automated analysis of this binary is pending, but is so far inconclusive...
MD5s:
8f79a24970d9e7063ffcedc9a8d23429
02cfa3e6fdb4301528e5152de76b2abf
UPDATE: this interesting new tool from Payload Security[1] gives some insight as to what the malware does. In particular, it phones home to:
50.31.1.21 (Steadfast Networks, US)
87.236.215.103 (OneGbits, Lithuania)
2.6.14.246 (Orange S.A., France)
14.96.207.127 (Tata Indicom, India)
95.163.121.178 (Digital Networks aka DINETHOSTING, Russia)
Recommended blocklist:
50.31.1.21
87.236.215.103
2.6.14.246
14.96.207.127
95.163.121.0/24 "
* https://www.virustotal.com/en/file/4...is/1427293393/
** https://www.virustotal.com/en/file/7...is/1427293399/
1] https://www.hybrid-analysis.com/samp...nvironmentId=1
___
Fake Citi SPAM - PDF malware
- http://myonlinesecurity.co.uk/citi-m...e-pdf-malware/
25 Mar 2015 - "'Citi Merchant Services statements – 05721901-6080' ( random numbers) pretending to come from user <noreply@ efsnb-archive .com> with a zip attachment is another one from the current bot runs... The email looks like:
Attached is your Merchant Statement. It is secured so that only an
authorized recipient can open it. To open, click on the attachment.
In order to view
the attached PDF file, you need Adobe Acrobat Reader Version 8.0
installed.
Click on the following link:
<http ://www.adobe .com/products/acrobat/readstep2.html> to complete a free
install or re-install if you have an older version.
Visit Microsoft’s self
help website at www .microsoft .com or contact your ISP if you do not
receive the attachment.
Delivering your statements directly to your desktop is just one
more way we’ve increased the speed of business. Thanks again for
choosing CTS Holdings, LLC as your merchant processor. CTS Holdings, LLC, you can
count on us!
This is a post-only mailing. Please do not respond. To change
preferences please contact Customer Service at 1-800-238-7675.
25 March 2015 : random zip name : Extracts to: Merchant.exe - Current Virus total detections: 6/57*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a...is/1427293896/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustotal.com/en/ip-add...0/information/
46.249.3.66: https://www.virustotal.com/en/ip-add...6/information/
134.249.63.46: https://www.virustotal.com/en/ip-add...6/information/
- http://threattrack.tumblr.com/post/1.../citibank-spam
Mar 25, 2015
Malicious File Name and MD5:
Merchant.exe (4007601E07343ADD409490F572F97D46)
Tagged: Citibank, Upatre
___
Fake 'Invoice ID' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/03/malw...2ab34-123.html
25 Mar 2015 - "This terse spam has a malicious attachment:
From: Gerry Carpenter
Date: 25 March 2015 at 12:58
Subject: Invoice ID:34bf33
123
There is an Excel attachment with the same semi-random reference number as the subject (in the sample I saw it was 34bf33.xls) which currently has -zero- detections*. Unlike most recent document-based attacks, this does -not- contain a macro, but instead has an embedded OLE object that will run a VBscript if clicked, the spreadsheet itself is designed to get the victim to click-and-run that object.
> https://1.bp.blogspot.com/-erquBHy1O.../excel-ole.png
Automated analysis doesn't show very much, but it does show the screenshots [1] [2]... the downloaded file is actually an EXE file all along so nothing is done to it. This file has a detection rate of 7/56**, and the Payload Security report shows it communicating with the following IPs:
92.63.88.83 (MWTV, Latvia)
82.151.131.129 (DorukNet, Turkey)
121.50.43.175 (Tsukaeru.net, Japan)
The payload is most likely Dridex.
Recommended blocklist:
92.63.88.0/24
82.151.131.129
121.50.43.175
MD5s:
ce130212d67070459bb519d67c06a291
461689d449c7b5a905c8404d3a464088 "
* https://www.virustotal.com/en/file/a...is/1427298940/
** https://www.virustotal.com/en/file/f...is/1427296948/
1] https://www.hybrid-analysis.com/samp...nvironmentId=1
2] https://malwr.com/analysis/NTI5ODY2Z...QwNDcxMDBkZjc/
___
Fake 'ACH failure' SPAM - PDF malware
- http://myonlinesecurity.co.uk/ach-te...e-pdf-malware/
25 Mar 2015 - "'ACH technical failure' pretending to come from The Electronic Payments Association <June.Parks@ nacha .org> [random names nacha .org] at with a link to a zip attachment is another one from the current bot runs... Other subjects in this series of spam malicious emails on the nacha theme are:
Transaction system failure
ACH transfer error
ACH technical failure
Your transfer failed due to technical failure ...
The email looks like:
ACH PAYMENT REJECTED
The ACH Payment (ID: 53213740992857), recently sent from your savings account (by you or any other person), was REJECTED by other financial institution.
Rejection Reason: See details in the report below
Payment Report: report_53213740992857.pdf (Adobe Reader PDF)
13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
2014 NACHA – The Electronic Payments Association
The link once again goes to a cubby user content site...
25 March 2015: Secure_Message.zip: Extracts to: Secure_Message.exe
Current Virus total detections: 11/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6...is/1427301251/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustotal.com/en/ip-add...0/information/
46.249.3.66: https://www.virustotal.com/en/ip-add...6/information/
134.249.63.46: https://www.virustotal.com/en/ip-add...6/information/
___
Fake DHL SPAM - malware
- http://myonlinesecurity.co.uk/dhl-aw...pment-malware/
25 Mar 2015 - "'DHL AWB# 34 5673 0015 / shipment' pretending to come from DHL Express <info@ dhl .com> with a zip attachment is another one from the current bot runs... The email looks like:
Dear customer,
The following 1 piece(s) have been sent by a Customer via DHL Express on 22-03-2015 via AWB# 34 5673 0015
Find attached Scanned copy of the shipping documents and more information about the parcel and confirm if the address is correct for shipment.
Thank you.
25 March 2015: DOCUMENTS.zip: Extracts to: DOCUMENTS.exe - Current Virus total detections: 7/56*
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1427286243/
... Behavioural information
TCP connections
66.171.248.172: https://www.virustotal.com/en/ip-add...2/information/
UDP communications
134.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
___
Fake 'Notice to appear in Court' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/03/malw...notice-to.html
24 Mar 2015 - "These two emails come with a malicious attachment:
From: County Court [lester.hicks@ whw0095 .whservidor .com]
Date: 24 March 2015 at 16:45
Subject: AERO, Notice to Appear
This is to inform you to appear in the Court on the March 31 for your case hearing.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.
You can review complete details of the Court Notice in the attachment.
Yours faithfully,
Lester Hicks,
Court Secretary.
-------------
From: District Court [cody.bowman@ p3nw8sh177 .shr.prod.phx3 .secureserver .net]
Date: 24 March 2015 at 16:44
Subject: AERO, Notice to appear in Court #0000310657
Dear Aero,
This is to inform you to appear in the Court on the March 28 for your case hearing.
You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
Note: If you do not come, the case will be heard in your absence.
You can review complete details of the Court Notice in the attachment.
Sincerely,
Cody Bowman,
District Clerk.
In these two case the attachments were named Court_Notification_0000310657.zip and Notice_to_Appear_000283436.zip containing the malicious scripts Court_Notification_0000310657.doc.js [VirusTotal 7/57*]... and Notice_to_Appear_000283436.doc.js [VirusTotal 6/57**]... respectively. These scripts attempt to download malicious code... Details in the download locations vary, but are in the format:
ilarf .net/document.php?rnd=1161&id=
gurutravel .co .nz/document.php?rnd=3022&id=
This leads to a randomly-named file with a GIF extension which is actually one of two malicious EXE files, with detection rates of 6/57*** and 4/56****. One of those produces a valid Malwr report, the other smaller EXE doesn't seem to do anything. The executable that seems to do something POSTs to a Turkish server at 176.53.125.25 (Radore Veri Merkezi Hizmetleri A.S.). Various Malwr reports... indicate badness on at least the following IPs:
176.53.125.20
176.53.125.21
176.53.125.22
176.53.125.23
176.53.125.24
176.53.125.25
I would suggest blocking at least those IPs, or perhaps 176.53.125.16/28 or if you don't mind blocking access to a few legitimate Turkish sites you could perhaps block 176.53.125.16/24. I am not 100% certain of the payload, however some servers in that cluster have been fingered for serving the Trapwot fake anti-virus[5] software.
MD5s:
2d65371ac458c7d11090aca73566e3d4
da63f87243a971edca7ecd214e6fdeb1
77d8670f80c3c1de81fb2a1bf05a84b5
d48ef4bb0549a67083017169169ef3ee "
* https://www.virustotal.com/en/file/2...is/1427221635/
** https://www.virustotal.com/en/file/d...is/1427221612/
*** https://www.virustotal.com/en/file/b...is/1427222714/
**** https://www.virustotal.com/en/file/d...is/1427223237/
5] http://www.microsoft.com/security/po...:Win32/Trapwot
