Fake 'Proforma Invoice', 'Delivery Confirmation', 'Undefined transactions' SPAM
FYI...
Fake 'Proforma Invoice' SPAM - macro malware
- http://blog.dynamoo.com/2015/01/malware-spam-monika-monikagoetzbigkcouk.html
20 Jan 2015 - "This -fake- invoice leads to malware. It is not being sent by Big K Products UK Ltd, their systems have not been hacked or compromised. Instead, the email is a -forgery- designed to get you to click the malicious attachment.
From: Monika [monika.goetz@ bigk .co.uk]
Date: 20 January 2015 at 07:18
Subject: Proforma Invoice
Please find enclosed the proforma invoice for your order. Please let me know when payment has been made, so that the goods can be despatched.
Kind regards,
Monika Goetz
Sales & Marketing Co-ordinator
The document attached is Proforma.doc which is currently undetected by AV vendors. It contains a malicious macro... which attempts to download a binary from:
http ://solutronixfze .com/js/bin.exe
..which is saved to %TEMP%\324234234.exe. This has a VirusTotal detection rate of 2/56* and the Malwr report shows it attempting to phone home to:
59.148.196.153 (HKBN, Hong Kong)
74.208.11.204 (1&1, US)
These IPs have been used many times in similar recent attacks an I recommend you block them. It also drops a DLL with a VirusTotal detection rate of 2/57**. The payload appears to be the Dridex banking trojan. See also this post*** about a related spam run also in progress this morning."
* https://www.virustotal.com/en/file/...c5d19140c61a11aa0e346503/analysis/1421744001/
** https://www.virustotal.com/en/file/...7b3ace9c75fd2248aaad0a09/analysis/1421744963/
*** http://blog.dynamoo.com/2015/01/this-rather-terse-spam-comes-with.html
- http://myonlinesecurity.co.uk/proforma-invoice-monika-big-k-word-doc-malware/
20 Jan 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/Big-K-proforma-invoice.png
> https://www.virustotal.com/en/file/...f09a70b660c15fbab956eba1855024fcfbb/analysis/
___
Fake 'Barclays Online Bank [security-update]' SPAM
- http://blog.dynamoo.com/2015/01/malware-spam-barclays-important-update.html
20 Jan 2015 - "This -fake- Barclays spam leads to malware.
From: Barclays Online Bank [security-update@ barclays .com]
Date: 20 January 2015 at 14:41
Subject: Barclays - Important Update, read carefully!
Dear Customer,
Protecting the privacy of your online banking access and personal information are our primary concern.
During the last complains because of online fraud we were forced to upgrade our security measures.
We believe that Invention of security measures is the best way to beat online fraud.
Barclays Bank have employed some industrial leading models to start performing an extra security check with Your Online Banking Activities to ensure a safe and secure Online and Mobile Banking.
For security reasons we downloaded the Update Form to security Barclays webserver.
You are requested to follow the provided steps and Update Your Online Banking details, for the safety of Your Accounts.
- Please download and complete the form with the requested details: <URL redacted>
- Fill in all required fields with your accurately details (otherwise will lead to service suspension)
Warning: If you choose to ignore our request, you leave us no choice but to temporary hold on your funds.
Thank you for your patience as we work together to protect your account.
Please update your records on or before 48 hours, a failure to update your records will result in a temporary hold on your funds.
Sincerely,
Barclays Online Bank Customer Service
We apologize for any inconvenience this may have caused...
The link in the email varies, some other examples seen are:
http ://nrjchat .org/ONLINE~IMPORTANT-UPDATE/last-update.html
http ://utokatalin .ro/ONLINE-BANKING_IMPORTANT/update.html
http ://cab .gov .ph/ONLINE-IMPORTANT~UPDATE/last~update.html
Visiting these sites goes through some javascript hoops, and then leads to a ZIP file download which contains a malicious EXE that changes every time it is downloaded. The files are named in the general format update12345.zip and update54321.exe.
The file itself is an Upatre downloader, with poor detection rates [1] [2] [3].
The Malwr report shows traffic to the following URLs:
http ://202.153.35.133 :33384/2001uk11/HOME/0/51-SP3/0/
http ://202.153.35.133 :33384/2001uk11/HOME/1/0/0/
http ://clicherfort .com/mandoc/eula012.pdf
http ://202.153.35.133 :33387/2001uk11/HOME/41/7/4/
http ://essextwp .org/mandoc/ml1from1.tar
Out of these 202.153.35.133 (Excell Media Pvt Ltd, India) is one you should definitely block. This downloader drops several files including (in this case) %TEMP%\sJFcN24.exe which has a VirusTotal detection rate of just 3/57* and is identified as Dyreza.C by Norman anti-virus."
1] https://www.virustotal.com/en/file/...c65088ac8726755259962571/analysis/1421768747/
2] https://www.virustotal.com/en/file/...973cd134f8d1d90a6a8d4377/analysis/1421768757/
3] https://www.virustotal.com/en/file/...3d342f8acb601e0c21c89349/analysis/1421768766/
* https://www.virustotal.com/en/file/...3a42bdd77b8b743be27d89c4/analysis/1421770305/
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
- http://myonlinesecurity.co.uk/barclays-important-update-read-carefully-fake-pdf-malware-2/
20 Jan 2015
* https://www.virustotal.com/en/file/...707551f27e2b6cf541faf6ca/analysis/1421769761/
- http://threattrack.tumblr.com/post/108646232563/barclays-important-update-spam
Jan 20, 2015
Tagged: Barclays, Upatre
___
Fake 'Delivery Confirmation' SPAM – doc malware
- http://myonlinesecurity.co.uk/mereway-kitchens-delivery-confirmation-word-doc-malware/
20 Jan 2015 - "'mereway kitchens Delivery Confirmation' pretending to come from mereway kitchens <sales.north@ mereway .co.uk> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... 2 versions of this spreading today. In one version once again the body of the email is completely -blank- ... and the malware is the same as today’s version of Proforma Invoice Monika big K – Word doc malware*. The second version also having the same malware just simply says 'Delivery Confirmation'..."
* http://myonlinesecurity.co.uk/proforma-invoice-monika-big-k-word-doc-malware/
- http://blog.dynamoo.com/2015/01/this-rather-terse-spam-comes-with.html
20 Jan 2015
1] https://www.virustotal.com/en/file/...15fbab956eba1855024fcfbb/analysis/1421745692/
2] https://www.virustotal.com/en/file/...8b80c0cf532a72acf9fe46d0/analysis/1421746148/
___
Fake 'Undefined transactions' SPAM - macro malware
- http://blog.dynamoo.com/2015/01/malware-spam-undefined-transactions.html
20 Jan 2015 - "This spam comes in a few different variants, however the body text always seems to be the same:
From: Joyce Mills
Date: 20 January 2015 at 10:30
Subject: Undefined transactions (need assistance) Ref:1647827ZM
Good morning
I have recently found several payments on statement with the incorrect reference. Amounts appear to be from your company, could you please confirm these payments are yours and were made from your company's bank account. If no then please reply me as soon as possible. Thanks.
P.S. Undefined transactions are included in the attached DOC.
Regards,
Joyce Mills
Senior Accounts Payable
PAYPOINT
The reference number is randomly generated and changes in each case, attached is a malicious Word document also containing the same reference number (e.g. 1647827ZM.doc). Also the name in the "From" field is consistent with the name on the bottom of the email, although this too seems randomly generated... I have seen two different variants of Word document in circulation, both undetected by AV vendors [1] [2] and each one contains a slightly different malicious macro... which attempt to download from the following locations:
http ://189.79.63.16 :8080/koh/mui.php
http ://203.155.18.87 :8080/koh/mui.php
This file is downloaded as 20.exe and is then copied to %TEMP%\324234234.exe. It has a VirusTotal detection rate of 2/57*. That report indicates that it attempts to phone home to:
194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
This IP is commonly used in this type of attack, I would strongly recommend you block it. The Malwr report shows that this drops a Dridex DLL with a VirusTotal detection rate of 2/57**, which is the same DLL as seen earlier today***."
1] https://www.virustotal.com/en/file/...4a3d14ce8d638fb6d6185fd2/analysis/1421750540/
2] https://www.virustotal.com/en/file/...e92ea6a51e29b68b83739765/analysis/1421750559/
* https://www.virustotal.com/en/file/...0161f40ca02e0b50d468809a/analysis/1421750847/
** https://www.virustotal.com/en/file/...7b3ace9c75fd2248aaad0a09/analysis/1421752892/
*** http://blog.dynamoo.com/2015/01/malware-spam-monika-monikagoetzbigkcouk.html
- http://myonlinesecurity.co.uk/undefined-transactions-need-assistance-ref50236lv-word-doc-malware/
20 Jan 2015
* https://www.virustotal.com/en/file/...e92ea6a51e29b68b83739765/analysis/1421749886/
___
Fake 'IRS' SPAM - doc malware
- http://myonlinesecurity.co.uk/internal-revenue-service-complaint-company-word-doc-malware/
20 Jan 2015 - "'Complaint against your company' pretending to come from Internal Revenue Service <complaints@irs.gov> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:
Dear business owner,
A criminal complaint has been filled against your company.
Your company is being accused of trying to commit tax evasion schemes.
The full text of the complaint file ( .DOC type ) can be viewed in your
Microsoft Word, complaint is attached.
AN official response from your part is required, in order to take further
action.
Please review the charges brought forward in the complaint file, and
contact us as soon as possible by :
Telephone Assistance for Businesses: Toll-Free, 1-800-829-4933
Email: complaints@ irs .gov
Thank you,
Internal Revenue Service Fraud Prevention Department
20 January 2015 : complaint20150119.doc - Current Virus total detections: 22/57*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...9ac10b41b4af40f30d6fbb12/analysis/1421772306/
___
Fake 'Bank of Canada' SPAM – PDF malware
- http://myonlinesecurity.co.uk/national-bank-canada-notice-payment-fake-pdf-malware/
20 Jan 2015 - "'National Bank of Canada Notice of payment pretending to come from sac.sbi@ sibn .bnc .ca with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
You can view and print the notice of payment using the Netscape or
Microsoft Explorer browsers, versions 6.2 and 5.5. You can export and store the
notice of payment data in your spreadsheet by choosing the attached file in
pdf format “.pdf”.
If you have received this document by mistake, please advise us immediately
and return it to us at the following E-mail address:
“sac.sbi@ sibn .bnc .ca”.
Thank you.
National Bank of Canada
600 de La Gauchetire West, 13th Floor
Montreal, Quebec H3B 4L2 ...
20 January 2015: payment_notice.zip: Extracts to: payment_notice.scr
Current Virus total detections: 13/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...8217e3713ffe6a861b1d33b6/analysis/1421783533/
:fear:
FYI...
Fake 'Proforma Invoice' SPAM - macro malware
- http://blog.dynamoo.com/2015/01/malware-spam-monika-monikagoetzbigkcouk.html
20 Jan 2015 - "This -fake- invoice leads to malware. It is not being sent by Big K Products UK Ltd, their systems have not been hacked or compromised. Instead, the email is a -forgery- designed to get you to click the malicious attachment.
From: Monika [monika.goetz@ bigk .co.uk]
Date: 20 January 2015 at 07:18
Subject: Proforma Invoice
Please find enclosed the proforma invoice for your order. Please let me know when payment has been made, so that the goods can be despatched.
Kind regards,
Monika Goetz
Sales & Marketing Co-ordinator
The document attached is Proforma.doc which is currently undetected by AV vendors. It contains a malicious macro... which attempts to download a binary from:
http ://solutronixfze .com/js/bin.exe
..which is saved to %TEMP%\324234234.exe. This has a VirusTotal detection rate of 2/56* and the Malwr report shows it attempting to phone home to:
59.148.196.153 (HKBN, Hong Kong)
74.208.11.204 (1&1, US)
These IPs have been used many times in similar recent attacks an I recommend you block them. It also drops a DLL with a VirusTotal detection rate of 2/57**. The payload appears to be the Dridex banking trojan. See also this post*** about a related spam run also in progress this morning."
* https://www.virustotal.com/en/file/...c5d19140c61a11aa0e346503/analysis/1421744001/
** https://www.virustotal.com/en/file/...7b3ace9c75fd2248aaad0a09/analysis/1421744963/
*** http://blog.dynamoo.com/2015/01/this-rather-terse-spam-comes-with.html
- http://myonlinesecurity.co.uk/proforma-invoice-monika-big-k-word-doc-malware/
20 Jan 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/01/Big-K-proforma-invoice.png
> https://www.virustotal.com/en/file/...f09a70b660c15fbab956eba1855024fcfbb/analysis/
___
Fake 'Barclays Online Bank [security-update]' SPAM
- http://blog.dynamoo.com/2015/01/malware-spam-barclays-important-update.html
20 Jan 2015 - "This -fake- Barclays spam leads to malware.
From: Barclays Online Bank [security-update@ barclays .com]
Date: 20 January 2015 at 14:41
Subject: Barclays - Important Update, read carefully!
Dear Customer,
Protecting the privacy of your online banking access and personal information are our primary concern.
During the last complains because of online fraud we were forced to upgrade our security measures.
We believe that Invention of security measures is the best way to beat online fraud.
Barclays Bank have employed some industrial leading models to start performing an extra security check with Your Online Banking Activities to ensure a safe and secure Online and Mobile Banking.
For security reasons we downloaded the Update Form to security Barclays webserver.
You are requested to follow the provided steps and Update Your Online Banking details, for the safety of Your Accounts.
- Please download and complete the form with the requested details: <URL redacted>
- Fill in all required fields with your accurately details (otherwise will lead to service suspension)
Warning: If you choose to ignore our request, you leave us no choice but to temporary hold on your funds.
Thank you for your patience as we work together to protect your account.
Please update your records on or before 48 hours, a failure to update your records will result in a temporary hold on your funds.
Sincerely,
Barclays Online Bank Customer Service
We apologize for any inconvenience this may have caused...
The link in the email varies, some other examples seen are:
http ://nrjchat .org/ONLINE~IMPORTANT-UPDATE/last-update.html
http ://utokatalin .ro/ONLINE-BANKING_IMPORTANT/update.html
http ://cab .gov .ph/ONLINE-IMPORTANT~UPDATE/last~update.html
Visiting these sites goes through some javascript hoops, and then leads to a ZIP file download which contains a malicious EXE that changes every time it is downloaded. The files are named in the general format update12345.zip and update54321.exe.
The file itself is an Upatre downloader, with poor detection rates [1] [2] [3].
The Malwr report shows traffic to the following URLs:
http ://202.153.35.133 :33384/2001uk11/HOME/0/51-SP3/0/
http ://202.153.35.133 :33384/2001uk11/HOME/1/0/0/
http ://clicherfort .com/mandoc/eula012.pdf
http ://202.153.35.133 :33387/2001uk11/HOME/41/7/4/
http ://essextwp .org/mandoc/ml1from1.tar
Out of these 202.153.35.133 (Excell Media Pvt Ltd, India) is one you should definitely block. This downloader drops several files including (in this case) %TEMP%\sJFcN24.exe which has a VirusTotal detection rate of just 3/57* and is identified as Dyreza.C by Norman anti-virus."
1] https://www.virustotal.com/en/file/...c65088ac8726755259962571/analysis/1421768747/
2] https://www.virustotal.com/en/file/...973cd134f8d1d90a6a8d4377/analysis/1421768757/
3] https://www.virustotal.com/en/file/...3d342f8acb601e0c21c89349/analysis/1421768766/
* https://www.virustotal.com/en/file/...3a42bdd77b8b743be27d89c4/analysis/1421770305/
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
- http://myonlinesecurity.co.uk/barclays-important-update-read-carefully-fake-pdf-malware-2/
20 Jan 2015
* https://www.virustotal.com/en/file/...707551f27e2b6cf541faf6ca/analysis/1421769761/
- http://threattrack.tumblr.com/post/108646232563/barclays-important-update-spam
Jan 20, 2015
Tagged: Barclays, Upatre
___
Fake 'Delivery Confirmation' SPAM – doc malware
- http://myonlinesecurity.co.uk/mereway-kitchens-delivery-confirmation-word-doc-malware/
20 Jan 2015 - "'mereway kitchens Delivery Confirmation' pretending to come from mereway kitchens <sales.north@ mereway .co.uk> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... 2 versions of this spreading today. In one version once again the body of the email is completely -blank- ... and the malware is the same as today’s version of Proforma Invoice Monika big K – Word doc malware*. The second version also having the same malware just simply says 'Delivery Confirmation'..."
* http://myonlinesecurity.co.uk/proforma-invoice-monika-big-k-word-doc-malware/
- http://blog.dynamoo.com/2015/01/this-rather-terse-spam-comes-with.html
20 Jan 2015
1] https://www.virustotal.com/en/file/...15fbab956eba1855024fcfbb/analysis/1421745692/
2] https://www.virustotal.com/en/file/...8b80c0cf532a72acf9fe46d0/analysis/1421746148/
___
Fake 'Undefined transactions' SPAM - macro malware
- http://blog.dynamoo.com/2015/01/malware-spam-undefined-transactions.html
20 Jan 2015 - "This spam comes in a few different variants, however the body text always seems to be the same:
From: Joyce Mills
Date: 20 January 2015 at 10:30
Subject: Undefined transactions (need assistance) Ref:1647827ZM
Good morning
I have recently found several payments on statement with the incorrect reference. Amounts appear to be from your company, could you please confirm these payments are yours and were made from your company's bank account. If no then please reply me as soon as possible. Thanks.
P.S. Undefined transactions are included in the attached DOC.
Regards,
Joyce Mills
Senior Accounts Payable
PAYPOINT
The reference number is randomly generated and changes in each case, attached is a malicious Word document also containing the same reference number (e.g. 1647827ZM.doc). Also the name in the "From" field is consistent with the name on the bottom of the email, although this too seems randomly generated... I have seen two different variants of Word document in circulation, both undetected by AV vendors [1] [2] and each one contains a slightly different malicious macro... which attempt to download from the following locations:
http ://189.79.63.16 :8080/koh/mui.php
http ://203.155.18.87 :8080/koh/mui.php
This file is downloaded as 20.exe and is then copied to %TEMP%\324234234.exe. It has a VirusTotal detection rate of 2/57*. That report indicates that it attempts to phone home to:
194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
This IP is commonly used in this type of attack, I would strongly recommend you block it. The Malwr report shows that this drops a Dridex DLL with a VirusTotal detection rate of 2/57**, which is the same DLL as seen earlier today***."
1] https://www.virustotal.com/en/file/...4a3d14ce8d638fb6d6185fd2/analysis/1421750540/
2] https://www.virustotal.com/en/file/...e92ea6a51e29b68b83739765/analysis/1421750559/
* https://www.virustotal.com/en/file/...0161f40ca02e0b50d468809a/analysis/1421750847/
** https://www.virustotal.com/en/file/...7b3ace9c75fd2248aaad0a09/analysis/1421752892/
*** http://blog.dynamoo.com/2015/01/malware-spam-monika-monikagoetzbigkcouk.html
- http://myonlinesecurity.co.uk/undefined-transactions-need-assistance-ref50236lv-word-doc-malware/
20 Jan 2015
* https://www.virustotal.com/en/file/...e92ea6a51e29b68b83739765/analysis/1421749886/
___
Fake 'IRS' SPAM - doc malware
- http://myonlinesecurity.co.uk/internal-revenue-service-complaint-company-word-doc-malware/
20 Jan 2015 - "'Complaint against your company' pretending to come from Internal Revenue Service <complaints@irs.gov> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:
Dear business owner,
A criminal complaint has been filled against your company.
Your company is being accused of trying to commit tax evasion schemes.
The full text of the complaint file ( .DOC type ) can be viewed in your
Microsoft Word, complaint is attached.
AN official response from your part is required, in order to take further
action.
Please review the charges brought forward in the complaint file, and
contact us as soon as possible by :
Telephone Assistance for Businesses: Toll-Free, 1-800-829-4933
Email: complaints@ irs .gov
Thank you,
Internal Revenue Service Fraud Prevention Department
20 January 2015 : complaint20150119.doc - Current Virus total detections: 22/57*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...9ac10b41b4af40f30d6fbb12/analysis/1421772306/
___
Fake 'Bank of Canada' SPAM – PDF malware
- http://myonlinesecurity.co.uk/national-bank-canada-notice-payment-fake-pdf-malware/
20 Jan 2015 - "'National Bank of Canada Notice of payment pretending to come from sac.sbi@ sibn .bnc .ca with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
You can view and print the notice of payment using the Netscape or
Microsoft Explorer browsers, versions 6.2 and 5.5. You can export and store the
notice of payment data in your spreadsheet by choosing the attached file in
pdf format “.pdf”.
If you have received this document by mistake, please advise us immediately
and return it to us at the following E-mail address:
“sac.sbi@ sibn .bnc .ca”.
Thank you.
National Bank of Canada
600 de La Gauchetire West, 13th Floor
Montreal, Quebec H3B 4L2 ...
20 January 2015: payment_notice.zip: Extracts to: payment_notice.scr
Current Virus total detections: 13/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...8217e3713ffe6a861b1d33b6/analysis/1421783533/
:fear:
Last edited:
angerousObject.Multi.Generic, TrojanDownloader:Win32/Upatre.AW, HEUR/QVM19.1.Malware.Gen or Win32.Trojan.Inject.Auto. At the time of writing, 7 of the 57 AV engines did detect the trojan at Virus Total*..."