Malicious script attached to email “Reference Number #10207614, Last Payment Notice”


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Reference Number #10207614, Last Payment Notice” (numbers in the subject will vary).

This email is send from the spoofed address “Raul Booth <BoothRaul64156@bulshit.org>”, is signed by Paul Booth from the company Foreman&Clark Ltd.

The email has the following body:

Dear Client,

This e-mail is pursuant to your contract with Foreman&Clark Ltd. for our services date November 15, 2015 for the amount of $6,137.
Your failure to pay as per the December 1, 2015 invoice equals to the breach of our contract.

Please, acknowledge the receipt of this e-mail within three business days. Please, make your payment to the corresponding account, stated in the invoice attached no later than January 2, 2016.
In case you fail to respond to this e-mail we well be compelled to pursue all the necessary legal actions.

Thank you beforehand for your attention to this case.
Looking forward to hearing back from you.

Sincerely,
Raul Booth
Sales Manager

Foreman&Clark Ltd.
256 Raccoon RunSeattle,
WA 98101

The attached file copy_invoice_10207614.zip contains the 16 kB large file invoice_copy_dXSLK7.js that contains an obfuscated Javascript.

This new technique seems to be trending because this campaign has similar characteristics like the campaign Malicious script attached to email “Your order #47994403 – Corresponding Invoice #7704B491”. The malicious Javascript isn’t web browser compatible but needs to be used in the Windows Scripting Host environment.

The malicious script is known as JS/Downldr.CZ.gen or JS/Downldr.CZ.gen.

At the time of writing, 3 of the 53 AV engines did detect the malware at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 4f52bea6b608d1fe17a25f15b7158ae4581752811adb145434cc693a8dab6d21

The Javascript can make contact with the following hosts/IPs:

46.151.52.196
softextrain64.com

The file 336 kB large file 80.exe will be downloaded from 46.151.52.196/80.exe?1 in our sample.

The malware is known as Trojan.Win32.Swizzor.1!O, HEUR/QVM10.1.Malware.Gen or Mal/Wonton-BX.

At the time of writing, 3 of the 54 engines did detect the malware at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: c5c2f7c25584cefa879cee52ba300404d1a123a5e5b73638826ae45951a8f7b6

24 thoughts on “Malicious script attached to email “Reference Number #10207614, Last Payment Notice”

  1. They apparently take the trouble to vary the reference numbers and amounts. Mine were 21642329 and $7,171. I noticed a similar scam yesterday, same formatics but different firm name; amount posted here was different from one in same-name attempt to me.

      • I received a number of these before happening across this site to report/compare incidences. In all cases, the amounts and reference numbers were different, although some did have same firm name/address/city. Wonder if I’ve worn out my welcome — nothing from them in past couple of days. Not complaining, just noting.

  2. Dang! Since I posted my earlier thing, I’ve received another: Reference Number #90676680, Last Payment Notice … $3,167 … Foreman & Clark. I hate what these people are doing but have to give them credit for perseverance and NOT sticking with the identical ‘boilerplate’ every time, the way the e-mail hackers seem to do.

    Anyone making progress on detecting and/or deflecting them?

  3. The latest from these guys

    ]Reference Number #02766413, Last Payment Notice
    Vincent Harmon
    November 15, 2015 for the amount of $2,125.

    • Yes, we notice a big spike in our stats, the highest for the last 30 days, and also domains with various TLDs (.be, .nl, .com.mx, co.uk, .pl,…) are included in this campaign.

  4. I tried to open the invoice because it came under a business account. What type of issues could I end up having on my computer and what can I be looking for? Any help is greatly appreciated.

    • It is difficult to determine if you have executed the Javascript under the Windows Scripting Host environment and if your system is, as a result of this action, is infected or not.

      You can run any of the tools – under the Security Tools links on the right – to check your computer for any infection. Otherwise, you can also run some anti virus software like F-Prot, Sophos,… that detected the malware and run them for a full scan on your system. If you use another anti virus scanner, make sure the latest anti virus definitions are installed and run a full scan.

  5. Monica’s report raised a question: Does simply DOWNLOADING the invoice .zip file unleash the bogeys, or would that happen only if you tried to OPEN that file?

    As long as I’m demonstrating my lack of savvy: Aside from our sharing reports of what’s unwantedly come our way, is — CAN? — anything being done about it? Just as the bad guys are tech-sharp enough to do this to us, are there GOOD guys whose tech skills can run them to ground?

    • In this case, simply reading the email and downloading the ZIP file is not infecting your computer. Running the script, after opening the ZIP file, will have consequences.

      • Thanks. Don’t PLAN to even open it but some mornings the coffee and CNS don’t interact completely before I do the e-mail day starter.

  6. In South Florida. Two of my staff open the zip, run the script, and it corrupts every excel file.
    Additionally, the virus spread through a shared cloud and contaminated files on other PC’s.
    This thing is nasty!

  7. OK, last time here today, getting too ridiculous to keep up with, including just-in
    “invoice #577222F0, Ref. nr 20086511/2015, outstanding pastdue balance $4,153” from
    William Perkins, Customer Service Dept., Realty Solutions, Denver, CO.

    Hope this dies out before Christmas, of which I also hope all here — but not the shbleep-weasels causing us to BE here — have a joyous one.

  8. Said I wouldn’t keep adding to the piles of similar clutter but here at my bedtime they seem to be changing their tune:

    Payment Nr. 26883617/90B96E26
    From LyonsLeight0073@philipagee.com

    Dear Client,
    Our finance department has processed your payment, unfortunately it has beendeclined. (No space between those 2 words)
    Please, double check the information provided in the invoice downbelow (again, no space) and confirm your details.

    And the attached .zip Invoice to scan

    Hope this isn’t what I dream about!

  9. Received today, malicious .js in zip file with subject as bellow:

    From: Antonia Blackwell [mailto:BlackwellAntonia8825@mtnbusiness.co.ke]
    Sent: Friday, December 11, 2015 2:53 AM
    Subject: Payment Nr: 14950552/D5E27E43

    Dear Client,

    Our finance department has processed your payment, unfortunately it has been declined.
    Please, double check the information provided in the invoice down below and confirm your details.

    Thank you for understanding.

  10. And my new day’s first offering: Invoice #15728465/BF04FE81
    From: Esperanza Richards

    Wonder if these creeps are monitoring THIS site and amping up their onslaught, just to mess with our heads. I’d love to see what kind of facilities they have, and target selection they use. Think of what that kind of intellect/energy could accomplish if not dedicated to troubling others. Sad.

  11. Little weekend activity but 3 so far today, amping up the (their, not mine) anxiety level:

    “We regret to inform you that due to your unpaid debt amount of $745.47 to
    SandorInc., from November 31, 2015 we have passed your case to the court.

    Your prompt attention is required to resolve this issue.”

    All had different reference numbers and signatories; one had only a .doc file, others had the usual baddie-containing .zip.

  12. Something slightly different in latest mail batch, but similar enough to post:

    “Subject: Rockspring Remittance Advice – WIRE
    From: Stacey Barlow

    Please find attached your Remittance Details for the funds that will bedeposited to
    your bank account on December 15th.

    Rockspring Capital is now sending through the bank the addenda informationincluding
    your remit information.

    If you are not seeing your addenda information in your bank reporting you mayhave to
    contact your local bank representative.”

    And like one of yesterday’s, the attachment was .doc not .zip. ???

  13. I’m in Scotland. I got 1 today as well.

    This e-mail is pursuant to your contract with Foreman&Clark Ltd. for our services date November 15, 2015 for the amount of $4,493.
    Your failure to pay as per the December 1, 2015 invoice equals to the breach of our contract.

    Please, acknowledge the receipt of this e-mail within three business days. Please, make your payment to the corresponding account, stated in the invoice attached no later than January 2, 2016.
    In case you fail to respond to this e-mail we well be compelled to pursue all the necessary legal actions.

    Thank you beforehand for your attention to this case.
    Looking forward to hearing back from you.

    Sincerely,
    Herman Merritt
    Sales Manager

    Foreman&Clark Ltd.
    256 Raccoon RunSeattle,
    WA 98101

Comments are closed.