New malware: Urgent: F590483 LITEBULB GROUP LTD/ HPE


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Urgent: F590483 LITEBULB GROUP LTD/ HPE” or similar.

This email is send from the spoofed addresses and has the following body:

Please find the attached tracker for your records.

Gaylord Sargent

LITEBULB GROUP LTD |

2819 I Street, NW, Suite 300 Washington D.C. 51845

O: (556) 165 2527 | F: (228) 379 0259
ISO9001:2008 | li4160 Rev C | 2CF-E11-240 | Core QPL | QAM-001, Sec. 5.3

This email may contain Technical Data the export of which is subject to the International Traffic in Arms Regulations (22 C.F.R. Parts 120 – 130) or the Export Administration Regulations (15 C.F.R. Parts 730 – 774).

Export controlled information, in any form, shall not be disclosed to a foreign person whether in the United States or abroad (including foreign persons employed in the U.S.) without authorization under the applicable U.S. Government export control regulations and the express written authorization of STRAN Technologies. This document may contain STRAN Technologies’ Proprietary Information and is to be used only for the purposes for which it has been supplied and is not to be duplicated or disclosed in whole or in part without written permission from a duly authorized representative of STRAN Technologies. If you feel you have received this email in error, please contact the sender at (556) 165 2527.

Other samples:

Please find the attached tracker for your records.

Robert Mcclain

ACACIA MINING PLC |

2559 I Street, NW, Suite 300 Washington D.C. 99457

O: (560) 386 4872 | F: (325) 371 2041
ISO9001:2008 | sn2199 Rev C | 597-B25-618 | Core QPL | QAM-001, Sec. 5.3

This email may contain Technical Data the export of which is subject to the International Traffic in Arms Regulations (22 C.F.R. Parts 120 – 130) or the Export Administration Regulations (15 C.F.R. Parts 730 – 774).

Export controlled information, in any form, shall not be disclosed to a foreign person whether in the United States or abroad (including foreign persons employed in the U.S.) without authorization under the applicable U.S. Government export control regulations and the express written authorization of STRAN Technologies. This document may contain STRAN Technologies’ Proprietary Information and is to be used only for the purposes for which it has been supplied and is not to be duplicated or disclosed in whole or in part without written permission from a duly authorized representative of STRAN Technologies. If you feel you have received this email in error, please contact the sender at (560) 386 4872.

Please find the attached tracker for your records.

Norma Mercado

Bedlam Productions |

1258 I Street, NW, Suite 300 Washington D.C. 96036

O: (456) 817 1253 | F: (762) 804 1897
ISO9001:2008 | te8729 Rev C | C2C-AE4-671 | Core QPL | QAM-001, Sec. 5.3

This email may contain Technical Data the export of which is subject to the International Traffic in Arms Regulations (22 C.F.R. Parts 120 – 130) or the Export Administration Regulations (15 C.F.R. Parts 730 – 774).

Export controlled information, in any form, shall not be disclosed to a foreign person whether in the United States or abroad (including foreign persons employed in the U.S.) without authorization under the applicable U.S. Government export control regulations and the express written authorization of STRAN Technologies. This document may contain STRAN Technologies’ Proprietary Information and is to be used only for the purposes for which it has been supplied and is not to be duplicated or disclosed in whole or in part without written permission from a duly authorized representative of STRAN Technologies. If you feel you have received this email in error, please contact the sender at (456) 817 1253.

In the first sample, the files LITEBULB.rtf and LITEBULB.doc are attached to the email.

The emails do not originate from the companies that are mentioned in the emails. In several email samples, the files don’t have a file extension either but they seem to RTF and Word files.

The malware is detected by 2/56 AV engines at Virus Total. Malwr analysis shows that other malware is downloaded from hxxp://connect.businesshelpaz.com/dana/home.php.

The malware is detected by 4/56 AV engines at Virus Total and details are available on Malwr.

One thought on “New malware: Urgent: F590483 LITEBULB GROUP LTD/ HPE

Comments are closed.