Fake 'Insurance', 'Water Services Invoice', 'Invoice 1377' SPAM
FYI...
Fake 'Insurance' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malw...insurance.html
12 Oct 2015 - "This spam does not come from No Letting Go but is instead a simple forgery with a malicious attachment.
From [accounts@ nolettinggo .co.uk]
Date Mon, 12 Oct 2015 11:43:16 +0330
Subject Insurance
Dear all
Please find attached insurance paperwork including EL certificate. Invoices
will follow at the beginning of November.
Regards
Karen
In the only sample I have seen so far, the attachment name is SKMBT_C36014102815580.doc which has a VirusTotal detection rate of 8/56*. This particular document contains this malicious macro... which downloads a malware component from the following location:
ukenterprisetours .com/877453tr/rebrb45t.exe
The usual pattern is that there are several different versions of the document downloading from different locations, but the payload is the same in all cases. This binary is saved as %TEMP%\gicage.exe and has a detection rate of 2/56**. That VirusTotal report and this Hybrid Analysis report[3] show network traffic to:
149.210.180.13 (TransIP BV, Netherlands)
I strongly recommend that you block or monitor traffic to this IP. The payload is the Dridex banking trojan..."
* https://www.virustotal.com/en/file/f...is/1444637908/
** https://www.virustotal.com/en/file/0...is/1444638547/
... Behavioural information
TCP connections
149.210.180.13: https://www.virustotal.com/en/ip-add...3/information/
92.123.225.120: https://www.virustotal.com/en/ip-add...0/information/
3] https://www.hybrid-analysis.com/samp...nvironmentId=3
ukenterprisetours .com: 46.20.120.64: https://www.virustotal.com/en/ip-add...4/information/
- http://myonlinesecurity.co.uk/nolett...d-doc-malware/
12 Oct 2015 - "An email that appears to come from nolettinggo .co.uk with the subject of 'Insurance' pretending to come from accounts@ nolettinggo .co.uk with a malicious word doc attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...o-1024x497.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
...
12 October 2015 : SKMBT_C36014102815580.doc - Current Virus total detections 7/55*
.. Downloads Dridex banking malware from http ://capricorn-cleaning .co.uk/877453tr/rebrb45t.exe
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4...is/1444635759/
capricorn-cleaning .co.uk: 109.108.129.21: https://www.virustotal.com/en/ip-add...1/information/
___
Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malw...s-invoice.html
12 Oct 2015 - "This -fake- financial email is not from United Utilities but is instead a simple forgery with a malicious attachment:
From "UUSCOTLAND" <UUSCOTLAND@ uuplc .co.uk>
Date Mon, 12 Oct 2015 17:12:12 +0530
Subject Water Services Invoice
Good Morning,
I hope you are well.
Please find attached the water services invoice summary for the billing period of
12 September 2015 to 12 October 2015.
If you would like any more help, or information, please contact me...
Kind regards
Melissa
Melissa Lears
Billing Specialist
Business Retail
United Utilities Scotland
T: 0345 0726077 (26816)...
The information contained in this e-mail is intended only for the individual to whom it is addressed. It may contain legally privileged or confidential information or otherwise be exempt from disclosure. If you have received this Message in error or there are any problems, please notify the sender immediately and delete the message from your computer. You must not use, disclose, copy or alter this message for any unauthorised purpose...
Attached to the email is a file 12 October 2015 Invoice Summary.doc which comes in at least -four- different versions (VirusTotal results: [1] [2] [3] [4]) which contain a macro... Download locations spotted so far are:
ukenterprisetours .com/877453tr/rebrb45t.exe
eventmobilecatering .co.uk/877453tr/rebrb45t.exe
thewimbledondentist .co.uk/877453tr/rebrb45t.exe
cardiffhairandbeauty .co.uk/877453tr/rebrb45t.exe
All those download locations are on UK sites, but there are three apparently unrelated IP addresses in use:
46.20.120.64: https://www.virustotal.com/en/ip-add...4/information/
109.108.129.21: https://www.virustotal.com/en/ip-add...1/information/
213.171.218.221: https://www.virustotal.com/en/ip-add...1/information/
This is saved as %TEMP%\gicage.exe and has a VirusTotal detection rate of just 1/56[5]...
149.210.180.13 (TransIP BV, Netherlands)
86.105.33.102 (Data Net SRL, Romania)
I would recommend blocking traffic to both those IPs. The payload is the Dridex banking trojan.
Recommended blocklist:
149.210.180.13: https://www.virustotal.com/en/ip-add...3/information/
86.105.33.102: https://www.virustotal.com/en/ip-add...2/information/
.
1] https://www.virustotal.com/en/file/d...is/1444652575/
2] https://www.virustotal.com/en/file/b...is/1444652586/
3] https://www.virustotal.com/en/file/b...is/1444652597/
4] https://www.virustotal.com/en/file/f...is/1444652607/
5] https://www.virustotal.com/en/file/d...is/1444652695/
- http://myonlinesecurity.co.uk/water-...d-doc-malware/
12 Oct 10`5 - "An email that appears to come from United Utilities Scotland with the subject of 'Water Services Invoice' pretending to come from UUSCOTLAND <UUSCOTLAND@ uuplc .co.uk> with a malicious word doc attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...e-1024x690.png
.. DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
...
12 October 2015: 12 October 2015 Invoice Summary.doc - Current Virus total detections 8/55*
... Downloads from the same locations as described in today’s earlier malspam run** of malicious word docs, but delivers an updated Dridex version (VirusTotal 1/56 ***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1444654116/
** http://myonlinesecurity.co.uk/nolett...d-doc-malware/
*** https://www.virustotal.com/en/file/d...is/1444652695/
... Behavioural information
TCP connections
86.105.33.102: https://www.virustotal.com/en/ip-add...2/information/
191.234.4.50: https://www.virustotal.com/en/ip-add...0/information/
___
Fake 'Invoice 1377' SPAM - PDF malware
- http://myonlinesecurity.co.uk/invoic...e-pdf-malware/
12 Oct 2015 - "An email with the subject of 'Invoice 1377' pretending to come from info@ peachsoftware .co.uk with a zip attachment is another one from the current bot runs... The content of the email says:
Please see invoice attached
12 October 2015: invoice-1377.zip: Extracts to: invoice-1377.exe
Current Virus total detections 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5...is/1444648227/
___
Suspected Iran-Based Hacker Group Creates Network of Fake LinkedIn Profiles
- http://www.secureworks.com/cyber-thr...edin-profiles/
7 Oct 2015 - "Summary: While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.
Fake LinkedIn accounts: The 25 fake LinkedIn accounts identified by CTU researchers fall into two categories: fully developed personas (Leader) and supporting personas (Supporter). The table in the Appendix lists details associated with the accounts. The level of detail in the profiles suggests that the threat actors invested substantial time and effort into creating and maintaining these personas. The photos used in the fake accounts are likely of innocent individuals who have no connection to TG-2889 activity...
Legitimate endorsers of -fake- TG-2889 LinkedIn accounts by country:
> http://www.secureworks.com/assets/im...e007_500px.png
... Ongoing threat: Updates to profile content such as employment history suggest that TG-2889 regularly maintains these fake profiles. The persona changes and job alterations could suggest preparations for a new campaign, and the decision to reference Northrup Grumman and Airbus Group may indicate that the threat actors plan to target the aerospace vertical. It is likely that TG-2889 maintains personas that have not yet been identified, and that other threat groups also use this tactic. CTU researchers advise organizations to educate their users of the specific and general risks:
- Avoid contact with known fake personas.
- Only connect to personas belonging to individuals they know and trust.
- Adopt a position of sensible caution when engaging with members of colleagues' or friends' networks that they have not -verified- outside of LinkedIn.
When evaluating employment offers originating from LinkedIn, seek confirmation that the individual is legitimate by directly contacting the individual's purported employer. Organizations may want to consider policing abuse of their brand on LinkedIn and other social media sites..."
