Fake 'invoice', Fake 'order' SPAM - doc malware, 'Copy of transaction' xls malware
FYI...
Fake 'invoice' SPAM - doc malware
- http://blog.dynamoo.com/2015/02/malware-spam-tag-automotive-group-ltd.html
16 Feb 2015 - "This -fake- invoice does not come from The Automotive Group Ltd or any similarly-named company. Their systems have not been compromised in any way. Instead, this is a -forgery- with a malicious attachment. Note that the taghire .co.uk simply shows "Under Construction".
From: Lawrence Fisher [l.fisher@ taghire .co .uk]
Date: 16 February 2015 at 08:25
Subject: invoice
Here is the invoice
Kind Regards,
Lawrence Fisher
T.A.G. (The Automotive Group) Ltd.
Unit 22 Coney Green Business Centre Wingfield View, Clay Cross, Chesterfield...
So far I have only seen one sample of this, with an attachment named Invoice 0215.doc which has zero detections according to VirusTotal*. It contains an obfuscated Word macro which downloads an additional component from:
http ://laikah .de/js/bin.exe
Usually there are two or three versions of this document, but I have only seen one. If you look at the macro code itself, the download location is not encrypted in the code although other elements of the process are encrypted with a string + key combination. Those combinations contain non-printable characters, possibly in an attempt to avoid analysis. This .exe file is downloaded as %TEMP%\345435.exe and it has a VirusTotal detection rate of 3/57**. Automated reporting tools... show that this POSTS to 37.139.47.105. It appears that communication is attempted with the following IPs:
37.139.47.105 (Pirix, Russia)
78.140.164.160 (Webazilla, US)
95.163.121.179 (Digital Networks, Russia)
86.104.134.156 (One Telecom, Moldova)
117.223.58.214 (BSNL / Broadband Multiplay, India)
109.234.38.70 (McHost, Russia)
Also, according to the Malwr report***, a DLL is dropped with a detection rate of 3/57.
Recommended blocklist:
37.139.47.105
78.140.164.160
95.163.121.179
86.104.134.156
117.223.58.214
109.234.38.70 "
* https://www.virustotal.com/en/file/...0eff512b4a1fccecc3eb9e26/analysis/1424078591/
** https://www.virustotal.com/en/file/...85877d8d2c49a8ac26a90796/analysis/1424078636/
*** https://malwr.com/analysis/Yzg4MGU5M2ViNzIzNGRlZDk0ZWFhNzUwOTQ3NjYwMDg/
- http://myonlinesecurity.co.uk/lawrence-fisher-t-g-automotive-group-ltd-invoice-word-doc-malware/
16 Feb 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/tag-invoice.png
___
Fake 'order' SPAM - doc malware
- http://myonlinesecurity.co.uk/la-plastic-order-66990-word-doc-malware/
16 Feb 2015 - "'L&A Plastic Order# 66990' pretending to come from Hannah <Hannah@ lapackaging .com> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/LA-Plastic-Order-66990.png
This email has exactly the same malware although different file/document name as today’s versions of Lawrence Fisher T.A.G. (The Automotive Group) Ltd invoice - Word doc malware* and downloads the same dridex banking Trojan** from the same locations***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecurity.co.uk/lawrence-fisher-t-g-automotive-group-ltd-invoice-word-doc-malware/
** https://www.virustotal.com/en/file/...0eff512b4a1fccecc3eb9e26/analysis/1424075902/
*** https://www.virustotal.com/en/file/...85877d8d2c49a8ac26a90796/analysis/1424078802/
... Behavioural information
TCP connections
37.139.47.105: https://www.virustotal.com/en/ip-address/37.139.47.105/information/
UDP communications
134.170.185.211: https://www.virustotal.com/en/ip-address/134.170.185.211/information/
___
Fake 'Copy of transaction' SPAM - xls malware
- http://blog.dynamoo.com/2015/02/malware-spam-re-data-request-id91460.html
16 Feb 2015 - "This rather terse spam comes with a malicious attachment:
From: Rosemary Gibbs
Date: 16 February 2015 at 10:12
Subject: Re: Data request [ID:91460-2234721]
Copy of transaction.
The sender's name, the ID: number and the name of the attachment vary in each case. Example attachment names are:
869B54732.xls
BE75129513.xls
C39189051.xls
None of the three attachments are detected by anti-virus vendors [1] [2] [3]. They each contain a slightly different macro... It's quite apparent that this is ROT13 encoded which you can easily decrypt at http://www.rot13.com/index.php rather than working through the macro... So, these macros are attempting to use Powershell to download and execute the next step (possibly to avoid the UAC popup). The downloaded binary has a VirusTotal detection rate of 3/57* and automated analysis tools... show attempted communications with:
85.143.166.72 (Pirix, Russia)
205.185.119.159 (FranTech Solutions, US)
92.63.88.87 (MWTV, Latvia)
173.226.183.204 (TW Telecom, Taiwan)
27.5.199.115 (Hathway Cable and Datacom, India)
149.171.76.124 (University Of New South Wales, Australia)
46.19.143.151 (Private Layer, Switzerland)
It also drops a DLL with a 4/57** detection rate which is the same malware seen in this attack***.
Recommended blocklist:
85.143.166.72
205.185.119.159
92.63.88.87
173.226.183.204
27.5.199.115
149.171.76.124
46.19.143.151 "
1] https://www.virustotal.com/en/file/...ced4f6b401d40a50d49c79c6/analysis/1424087084/
2] https://www.virustotal.com/en/file/...9238d2d4e1613b8e3afc5568/analysis/1424087089/
3] https://www.virustotal.com/en/file/...3bc57a5e8be0fa49aa180e23/analysis/1424087096/
* https://www.virustotal.com/en/file/...50dd09c123c6aa8f513d1bba/analysis/1424087041/
** https://www.virustotal.com/en/file/...9ef996239053ae5c4b7fe1e9/analysis/1424088561/
*** http://blog.dynamoo.com/2015/02/malware-spam-tag-automotive-group-ltd.html
- http://myonlinesecurity.co.uk/copy-transaction-re-data-request-id20169-182-excel-xls-malware/
16 Feb 2015
___
Fake 'Order' SPAM - doc malware
- http://blog.dynamoo.com/2015/02/malware-spam-l-plastic-order-66990.html
16 Feb 2015 - "This -fake- financial spam does not come from LA Packaging, their systems are not compromised in any way. Instead, this is a simple -forgery- with a malicious attachment:
From: Hannah [Hannah@ lapackaging .com]
Date: 16 February 2015 at 10:38
Subject: L&A Plastic Order# 66990
For your records, please see attached L&A Order# 66990 and credit card receipt.
It has shipped today via UPS Ground Tracking# 1Z92X9070369494933
Best Regards,
Hannah – Sales
L&A Plastic Molding / LA Packaging
714-694-0101 Tel - Ext. 110
714-694-0400 Fax
E-mail: Hannah@ LAPackaging .com
Attached is a malicious Word document 66990.doc - so far I have only seen one version of this, although there are usually several variants. This document contains a macro... an executable from:
http :// hoodoba.cba .pl/js/bin.exe = 95.211.144.65: https://www.virustotal.com/en/ip-address/95.211.144.65/information/
At present this has a detection rate of 6/57*. It is the same malware as seen in this spam run**."
* https://www.virustotal.com/en/file/...85877d8d2c49a8ac26a90796/analysis/1424089760/
** http://blog.dynamoo.com/2015/02/malware-spam-tag-automotive-group-ltd.html
- http://myonlinesecurity.co.uk/la-plastic-order-66990-word-doc-malware/
16 Feb 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/LA-Plastic-Order-66990.png
___
Money mule SCAM
- http://blog.dynamoo.com/2015/02/money-mule-scam-gbearncom-usaearnscom.html
16 Feb 2015 - "This spam email is attempting to recruit people to aid with money laundering ("money mules") and other illegal operations.
Date: 16 February 2015 at 21:29
Subject: New offer
Good day!
We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.
Our firm specializes in advertisment services realizing unique products of creative advertising and branding strategies
and solutions to develop a distinctive brand value.
We cooperate with different countries and currently we have many clients in the USA and the EU.
Due to this fact, we need to increase the number of our destination representatives' regular staff.
In their duties will be included the document and payment control of our clients.
Part-time employment is currently important.
We offer a wage from 3500 GBP per month.
If you are interested in our offer, mail to us your answer on riley@ gbearn .com and
we will send you an extensive information as soon as possible.
Respectively submitted
Personnel department
The reply-to address of gbearn .com has recently been registered by the -scammers- with false WHOIS details. There is also an equivalent domain usaearns .com for recruiting US victims. Although there is no website, both domains have a mail server at 93.188.167.170 (Hostinger, US) which also serves as one of the nameservers for these domains (ns1 .recognizettrauma .net). The other nameserver (ns2 .recognizettrauma .net) is on 75.132.186.90 (Charter Communications, US). Be in no doubt that the job being offered here is -illegal- and you should most definitely avoid it."
___
Banking Trojan Dyreza sends 30,000 malicious emails in one day
- http://net-security.org/malware_news.php?id=2964
16.02.2015 - "A massive spam wave is installing banking Trojan Dyreza on tens of thousands of computers to steal sensitive financial data from unsuspecting customers, warns Bitdefender*. 30,000 malicious emails were sent in just one day from spam servers in the UK, France, Turkey, US and Russia. The spam, which has been directed to customers of UK banks including NatWest, Barclays, RBS, HSBC, Lloyds Bank and Santander, carries links to HTML files which directs users to URLs pointing to highly obfuscated Javascript code. This automatically downloads a zip archive from a remote location... each downloaded archive is named differently to bypass antivirus solutions. This technique is called server-side polymorphism and ensures that the downloaded malicious file is always brand new. To take the con one step further, the same Javascript code -redirects- the user to the localized webpage of a fax service provider as soon as the archive is downloaded..."
* http://www.hotforsecurity.com/blog/...ent-fax-messages-bitdefender-warns-11368.html
___
Banking malware VAWTRAK - malicious macro downloaders
> http://blog.trendmicro.com/trendlab...s-malicious-macros-abuses-windows-powershell/
Feb 16, 2015
:fear::fear:
FYI...
Fake 'invoice' SPAM - doc malware
- http://blog.dynamoo.com/2015/02/malware-spam-tag-automotive-group-ltd.html
16 Feb 2015 - "This -fake- invoice does not come from The Automotive Group Ltd or any similarly-named company. Their systems have not been compromised in any way. Instead, this is a -forgery- with a malicious attachment. Note that the taghire .co.uk simply shows "Under Construction".
From: Lawrence Fisher [l.fisher@ taghire .co .uk]
Date: 16 February 2015 at 08:25
Subject: invoice
Here is the invoice
Kind Regards,
Lawrence Fisher
T.A.G. (The Automotive Group) Ltd.
Unit 22 Coney Green Business Centre Wingfield View, Clay Cross, Chesterfield...
So far I have only seen one sample of this, with an attachment named Invoice 0215.doc which has zero detections according to VirusTotal*. It contains an obfuscated Word macro which downloads an additional component from:
http ://laikah .de/js/bin.exe
Usually there are two or three versions of this document, but I have only seen one. If you look at the macro code itself, the download location is not encrypted in the code although other elements of the process are encrypted with a string + key combination. Those combinations contain non-printable characters, possibly in an attempt to avoid analysis. This .exe file is downloaded as %TEMP%\345435.exe and it has a VirusTotal detection rate of 3/57**. Automated reporting tools... show that this POSTS to 37.139.47.105. It appears that communication is attempted with the following IPs:
37.139.47.105 (Pirix, Russia)
78.140.164.160 (Webazilla, US)
95.163.121.179 (Digital Networks, Russia)
86.104.134.156 (One Telecom, Moldova)
117.223.58.214 (BSNL / Broadband Multiplay, India)
109.234.38.70 (McHost, Russia)
Also, according to the Malwr report***, a DLL is dropped with a detection rate of 3/57.
Recommended blocklist:
37.139.47.105
78.140.164.160
95.163.121.179
86.104.134.156
117.223.58.214
109.234.38.70 "
* https://www.virustotal.com/en/file/...0eff512b4a1fccecc3eb9e26/analysis/1424078591/
** https://www.virustotal.com/en/file/...85877d8d2c49a8ac26a90796/analysis/1424078636/
*** https://malwr.com/analysis/Yzg4MGU5M2ViNzIzNGRlZDk0ZWFhNzUwOTQ3NjYwMDg/
- http://myonlinesecurity.co.uk/lawrence-fisher-t-g-automotive-group-ltd-invoice-word-doc-malware/
16 Feb 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/tag-invoice.png
___
Fake 'order' SPAM - doc malware
- http://myonlinesecurity.co.uk/la-plastic-order-66990-word-doc-malware/
16 Feb 2015 - "'L&A Plastic Order# 66990' pretending to come from Hannah <Hannah@ lapackaging .com> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/LA-Plastic-Order-66990.png
This email has exactly the same malware although different file/document name as today’s versions of Lawrence Fisher T.A.G. (The Automotive Group) Ltd invoice - Word doc malware* and downloads the same dridex banking Trojan** from the same locations***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecurity.co.uk/lawrence-fisher-t-g-automotive-group-ltd-invoice-word-doc-malware/
** https://www.virustotal.com/en/file/...0eff512b4a1fccecc3eb9e26/analysis/1424075902/
*** https://www.virustotal.com/en/file/...85877d8d2c49a8ac26a90796/analysis/1424078802/
... Behavioural information
TCP connections
37.139.47.105: https://www.virustotal.com/en/ip-address/37.139.47.105/information/
UDP communications
134.170.185.211: https://www.virustotal.com/en/ip-address/134.170.185.211/information/
___
Fake 'Copy of transaction' SPAM - xls malware
- http://blog.dynamoo.com/2015/02/malware-spam-re-data-request-id91460.html
16 Feb 2015 - "This rather terse spam comes with a malicious attachment:
From: Rosemary Gibbs
Date: 16 February 2015 at 10:12
Subject: Re: Data request [ID:91460-2234721]
Copy of transaction.
The sender's name, the ID: number and the name of the attachment vary in each case. Example attachment names are:
869B54732.xls
BE75129513.xls
C39189051.xls
None of the three attachments are detected by anti-virus vendors [1] [2] [3]. They each contain a slightly different macro... It's quite apparent that this is ROT13 encoded which you can easily decrypt at http://www.rot13.com/index.php rather than working through the macro... So, these macros are attempting to use Powershell to download and execute the next step (possibly to avoid the UAC popup). The downloaded binary has a VirusTotal detection rate of 3/57* and automated analysis tools... show attempted communications with:
85.143.166.72 (Pirix, Russia)
205.185.119.159 (FranTech Solutions, US)
92.63.88.87 (MWTV, Latvia)
173.226.183.204 (TW Telecom, Taiwan)
27.5.199.115 (Hathway Cable and Datacom, India)
149.171.76.124 (University Of New South Wales, Australia)
46.19.143.151 (Private Layer, Switzerland)
It also drops a DLL with a 4/57** detection rate which is the same malware seen in this attack***.
Recommended blocklist:
85.143.166.72
205.185.119.159
92.63.88.87
173.226.183.204
27.5.199.115
149.171.76.124
46.19.143.151 "
1] https://www.virustotal.com/en/file/...ced4f6b401d40a50d49c79c6/analysis/1424087084/
2] https://www.virustotal.com/en/file/...9238d2d4e1613b8e3afc5568/analysis/1424087089/
3] https://www.virustotal.com/en/file/...3bc57a5e8be0fa49aa180e23/analysis/1424087096/
* https://www.virustotal.com/en/file/...50dd09c123c6aa8f513d1bba/analysis/1424087041/
** https://www.virustotal.com/en/file/...9ef996239053ae5c4b7fe1e9/analysis/1424088561/
*** http://blog.dynamoo.com/2015/02/malware-spam-tag-automotive-group-ltd.html
- http://myonlinesecurity.co.uk/copy-transaction-re-data-request-id20169-182-excel-xls-malware/
16 Feb 2015
___
Fake 'Order' SPAM - doc malware
- http://blog.dynamoo.com/2015/02/malware-spam-l-plastic-order-66990.html
16 Feb 2015 - "This -fake- financial spam does not come from LA Packaging, their systems are not compromised in any way. Instead, this is a simple -forgery- with a malicious attachment:
From: Hannah [Hannah@ lapackaging .com]
Date: 16 February 2015 at 10:38
Subject: L&A Plastic Order# 66990
For your records, please see attached L&A Order# 66990 and credit card receipt.
It has shipped today via UPS Ground Tracking# 1Z92X9070369494933
Best Regards,
Hannah – Sales
L&A Plastic Molding / LA Packaging
714-694-0101 Tel - Ext. 110
714-694-0400 Fax
E-mail: Hannah@ LAPackaging .com
Attached is a malicious Word document 66990.doc - so far I have only seen one version of this, although there are usually several variants. This document contains a macro... an executable from:
http :// hoodoba.cba .pl/js/bin.exe = 95.211.144.65: https://www.virustotal.com/en/ip-address/95.211.144.65/information/
At present this has a detection rate of 6/57*. It is the same malware as seen in this spam run**."
* https://www.virustotal.com/en/file/...85877d8d2c49a8ac26a90796/analysis/1424089760/
** http://blog.dynamoo.com/2015/02/malware-spam-tag-automotive-group-ltd.html
- http://myonlinesecurity.co.uk/la-plastic-order-66990-word-doc-malware/
16 Feb 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/02/LA-Plastic-Order-66990.png
___
Money mule SCAM
- http://blog.dynamoo.com/2015/02/money-mule-scam-gbearncom-usaearnscom.html
16 Feb 2015 - "This spam email is attempting to recruit people to aid with money laundering ("money mules") and other illegal operations.
Date: 16 February 2015 at 21:29
Subject: New offer
Good day!
We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.
Our firm specializes in advertisment services realizing unique products of creative advertising and branding strategies
and solutions to develop a distinctive brand value.
We cooperate with different countries and currently we have many clients in the USA and the EU.
Due to this fact, we need to increase the number of our destination representatives' regular staff.
In their duties will be included the document and payment control of our clients.
Part-time employment is currently important.
We offer a wage from 3500 GBP per month.
If you are interested in our offer, mail to us your answer on riley@ gbearn .com and
we will send you an extensive information as soon as possible.
Respectively submitted
Personnel department
The reply-to address of gbearn .com has recently been registered by the -scammers- with false WHOIS details. There is also an equivalent domain usaearns .com for recruiting US victims. Although there is no website, both domains have a mail server at 93.188.167.170 (Hostinger, US) which also serves as one of the nameservers for these domains (ns1 .recognizettrauma .net). The other nameserver (ns2 .recognizettrauma .net) is on 75.132.186.90 (Charter Communications, US). Be in no doubt that the job being offered here is -illegal- and you should most definitely avoid it."
___
Banking Trojan Dyreza sends 30,000 malicious emails in one day
- http://net-security.org/malware_news.php?id=2964
16.02.2015 - "A massive spam wave is installing banking Trojan Dyreza on tens of thousands of computers to steal sensitive financial data from unsuspecting customers, warns Bitdefender*. 30,000 malicious emails were sent in just one day from spam servers in the UK, France, Turkey, US and Russia. The spam, which has been directed to customers of UK banks including NatWest, Barclays, RBS, HSBC, Lloyds Bank and Santander, carries links to HTML files which directs users to URLs pointing to highly obfuscated Javascript code. This automatically downloads a zip archive from a remote location... each downloaded archive is named differently to bypass antivirus solutions. This technique is called server-side polymorphism and ensures that the downloaded malicious file is always brand new. To take the con one step further, the same Javascript code -redirects- the user to the localized webpage of a fax service provider as soon as the archive is downloaded..."
* http://www.hotforsecurity.com/blog/...ent-fax-messages-bitdefender-warns-11368.html
___
Banking malware VAWTRAK - malicious macro downloaders
> http://blog.trendmicro.com/trendlab...s-malicious-macros-abuses-windows-powershell/
Feb 16, 2015
:fear::fear:
Last edited: