New WSF malware in emails “Voice Message from Outside Caller”


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Voice Message from Outside Caller (2m 31s)”.

This email is send from the spoofed address “Peach Telecom <peach_necsv446@hotmail.co.uk>” and has the following body:

Voice Message Arrived on Friday, Aug 26 @ 8:50 AM
Name: Outside Caller
Number: Unavailable
Duration: 2m 31s
_________________
*****.BE SV9100 InMail

In each email, the duration time changes and domain of the recipient is included at the end of the message.

The attached file Outside Caller 08-26-2016 784036b.zip contains the file 08-26-2016 69tthi05.wsf which is a Windows Script File. Filenames of the ZIP archive and extracted WSF will change with each email as well.

The malware is detected by 9/56 AV engines at Virus Total. Malwr analysis shows that more malware will be downloaded from hxxp://digho.web.fc2.com/nb20gjBV?jNpfJetYR=wCNyEp. Other URLs may be used in different variants.

New Javascript malware in email “office equipment”


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “office equipment”.

This email is send from the spoofed addresses and has the following body:

Dear ****,

Please sign the attached purchase of the office equipment. We will send you back the receipt afterward.

Best regards,
Marylou Cox
Sales Manager

The attached file e9148007b03c.zip contains the file office_equipment ~2e0c9b44.js.

The malware is detected by 4/55 AV engines at Virus Total. Malwr analysis shows that more malware will be downloaded from hxxp://rejoincomp2.in/1tdqo6. Other hosts might be used in this campaign.

Fake email DHL with subject “DHL Levering: 7TOWTQ6363338851” downloads malware


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “DHL Levering: 7TOWTQ6363338851”. The email has the DHL logo included, is written in Dutch and sent to .nl domains and as such targetting DHL customers in the Netherlands.

This email is send from the spoofed address “DHL Parcel <****@*****.**>” and has the following body:

DHL

Beste Meneer/Mevrouw,

Uw order is klaar om verzonden te worden en word morgen tussen 10.45 en 14.00 op nummer 14 geleverd.

Meer informatie over u order kunt u vinden op deze webcode 7TOWTQ6363338851

Voor meer informatie: website

Groet,

DHL Parcel afdeling.

The embedded URL hxxp://toptiptiopee.top/trackdhl.exe will download the 1,6 MB large file trackdhl.exe.

The malware is detected as Win32.Trojan.WisdomEyes.151026.9950.9962, HEUR/QVM03.0.0000.Malware.Gen or  HW32.Packed.EC8A by 4/56 AV engines at Virus Total and the analysis is available on Malwr.

Fake domain name registration/extension notice leads to phishing attempt


MX Lab, http://www.mxlab.eu, started to intercept some fake domain registration/extension during the last few days, on a low volume, that clearly show that those are attempts to steal credit card information over an insecure HTTP connection.

The emails are sent from addresses like:

noreply@orderinformation4640.com
noreply@yourcompletedorder4002.com
noreply@yourreceipt2612.com
noreply@yourcompletedorder6221.com

The possible subjects are:

FWD: Attention: Domain Registration
FWD: Attn: Domain *****.com

The body of the email:

FWD: Attention: Domain Registration
Domain Name: *****.com

Bill To:
****** *****
******
*********

Invoice # AUG-2-362-1083560
Date 8/24/2016
Terms Net 15
Due Date 8/29/2016
P.O.#

SECURE ONLINE PAYMENT
Domain Name Date Range Price Term
sitotech.com 8/24/2016 – 8/24/2017 $75.00 1 Year
Dear ***********,

Don’t miss out on this offer which includes search engine submissions for ******.com for 12 months. There is no obligation to pay for this order unless you complete your payment by 8/29/2016. Our services provide submission and search engine ranking for domain owners. This offer for submission services is not required to renew your domain registration.

Failure to complete your search engine registration by 8/29/2016 may result in the cancellation of this order (making it difficult for your customers to locate you using search engines on the web).

You are under no obligation to pay the amount stated above unless you accept this offer by 8/29/2016. This is a courtesy reminder for *******.com.

This offer for ******.com will expire on 8/29/2016. Act today!

For Domain Name:
*****.com

SECURE ONLINE PAYMENT

Screenshot of the email:

Our last intercepted sample leads to the web site hxxp://orderinformation4640.com/order/2-362-n82w-bko-5sc-e7a4.

Note that the domain used in the senders email address is also used in the insecure HTTP request. Following web form is present:

MX Lab recommends to double check all requests received by email for domain registrations and/or extensions of your current domain and not to send credit card details over an insecure HTTP request. When you receive such request and are unsure, contact your current domain registrar and check for the expiration date of your domain and only renew your domain through their control panel.

New Javascript malware in email “Contract”


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Contract”.

This email is send from the different spoofed email address and has the following body – each time signed with a different name at the end:

Hello,

Please sign the attached contract with our technical service company for 2016 � 2017.
We would appreciate your quick response.

King regards,
Eusebio Wooten

(Digital-Signature: 21077b69896386aa05cb891eac33dfde963470dec559f213274f)

The attached file 79800f65bce.zip contains the file contract_2016-2017_pdf ~62bbb6d9.js.

The malware is detected by 15/56 AV engines at Virus Total and the malware is analyzed by Malwr.

New Javacsript malware in email “Statement” with monthly financial statement


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Statement”.

This email is send from the different spoofed email address and has the following body – each time signed with a different name at the end:

Hi,

The monthly financial statement is attached within the email.
Please review it before processing.

King regards,
Wendi Burnett

(Topic-ID: e75fb3dd7e84b6fd59b55b5a6432f7f1a1fba8cd342a)

The attached file ad1a821332cf.zip contains the file monthly_financial_scan 0c2d5b8d.js.

The malware is detected by 10/56 AV engines at Virus Total and the malware is analyzed by Malwr.

Fake email NEW ORDER (URGENT AIR SHIPMENT) from Cimcoop Holding contains malware


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “NEW ORDER (URGENT AIR SHIPMENT) ”.

On the 4th August we detected and intercepted a similar campaign Fake email NEW ORDER PO_A2528/20160806 from Cimcoop Holding contains malware but with a ZIP file.

This fake email is send from the spoofed address “Andrea Scott <andres.knatorowicz@gmail.com>”, is signed with the name Andrea Scott from Cimcoop Holding LTD and has the following body:

Dear Sir,

Please find attached our new orders and qoute your best prize. Your urgent response will be appreciated as we would like delivery to done mid September if possible.

Do let us know if you have any further queries and we look forward to hear from you soon.

Best regards.
Andrea Scott
sales

Cimcoop Holding LTD
Tel: (+3592)955-9741
Fax: (+3592)955-9941
Cell: (+359)885-262-952
www.cimcoop.com

The attached file PO#5011023087.doc . is detected by 13/54 AV engines at Virus Total and the analysis is available on Malwr and Hybrid-Analysis.

 

Follow

Get every new post delivered to your Inbox.

Join 2,175 other followers