Another round of word macro virus e-mails

This time sent to a lot of leaked logmein addresses. One was also an address scraped from a website.

Content similar to:

From: Millicent Johns <MillicentJohnsiu@business.telecomitalia.it>
Subject: Important notice: 7CD2D7_ABA97BD7172.doc

Your monthly Rainbow Communications invoice is attached to this mail.

This bill is for account RT628284

Please note that for those who receive multiple reports you may need to check your attachment field on your e-mail program to ensure that you have received them all.

Millicent Johns
Business Account Manager

From: Lidia Fletcher <LidiaFletcherzgbs@ttnet.com.tr> Subject: Statement from Reynolds Porter Chamberlain

Please see attached statement.

Please be advised that our company is now incorporated andtrades as Cleantec Equipment Ltd. Ourbank is still Ulster Bank, 14 High Street, Omagh, Co. Tyrone, BT78 1BJ with newaccount details as follows:

Sort Code: 98-12-30
Account Number: 10991670

Ulster Bank has switched over our direct debits etc. for usso please take this letter as notification of same.

Our company number isNI624042.
Cleantec Equipment Ltd VAT registration number: GB184578365.

We would also like to take this opportunity to thank you for your continuedsupport. If you should need any further information then please do not hesitateto contact us.

Regards,
Lidia Fletcher
Accounts Dept.

From: Reba Simpson <RebaSimpsoncs@rwatsoncpa.com>
Subject: Statement from STILFONTEIN GOLD MINING CO

Please see attached statement.

Please be advised that our company is now incorporated andtrades as Cleantec Equipment Ltd. Ourbank is still Ulster Bank, 14 High Street, Omagh, Co. Tyrone, BT78 1BJ with newaccount details as follows:

Sort Code: 98-12-30
Account Number: 10991670

Ulster Bank has switched over our direct debits etc. for usso please take this letter as notification of same.

Our company number isNI624042.
Cleantec Equipment Ltd VAT registration number: GB184578365.

We would also like to take this opportunity to thank you for your continuedsupport. If you should need any further information then please do not hesitateto contact us.

Regards,
Reba Simpson
Accounts Dept.

From: Guadalupe Rodriguez <GuadalupeRodrigueznsr@pianodaddy.com>
Subject: Statement from BRAMMER

Please see attached statement.

Please be advised that our company is now incorporated andtrades as BRAMMER. Ourbank is still Ulster Bank, 14 High Street, Omagh, Co. Tyrone, BT78 1BJ with newaccount details as follows:

Sort Code: 98-12-30
Account Number: 10991670

Ulster Bank has switched over our direct debits etc. for usso please take this letter as notification of same.

Our company number isNI624042.
BRAMMER VAT registration number: GB184578365.

We would also like to take this opportunity to thank you for your continuedsupport. If you should need any further information then please do not hesitateto contact us.

Regards,
Guadalupe Rodriguez
Accounts Dept.

The attachments were:

SHA256: 6deb233bdb7aa96f6ddd559c593d4b7c934788946f74a63bad7fe0e5fed32b3a
File name: 5D1928_951CF78B861.doc

SHA256: 32579890e5c81b9effc72c8a0ed6cb89222dc234f607a6b98b3aceb310f95e94
File name: 7CD2D7_ABA97BD7172.doc

SHA256: 9496a6595d70ed1d91ca05215873a7671763c10a0b2a2ea711d73383c7f6483d
File name: 8D0B5_33364608F06C8.doc

SHA256: f27886817dec3a1865c64df875e637d9042997c8c6950208fe3ca7c09f40c1d8
File name: 19FA_1B7B575A12.doc

SHA256: f840b04533d0857ba31e003e658b07cf8eb1a2b309548264e45d0d3816b17684
File name: 71D6E_B2325340E.doc (CORRUPT)

SHA256: 6064f2ca146c53d70c0b7c5b32e206242afc42a07ae8d064b744450d0b52acdd
File name: 37961B_9233FA95B10AD.doc (CORRUPT)

SHA256: d3b5effaacfe6b2d672ffa1776722e5c09d500d65f7c6bbe8bc1dbb043e41849
File name: 84264_0667A3E51D.doc

SHA256: eaabd78c8003740d2772418e8335443279ed44c63bc595485732e85c2cf66441
File name: A6EC_856FCE02DD08.doc (CORRUPT)

SHA256: 18a4880b07254364c58368f61462ff02d82e6b3aacec61c76b7a98632b22cb73
File name: A89E2_B70C89B129D.doc

SHA256: 98252fbaf5aef089467cac0dac072473ee1cfa5fdef0876a6321b658194a1742
File name: C60F27_97A0CF891.doc (CORRUPT)

SHA256: e6008e7d0b166c71065efe1971aa03575a037de7a566520183cd64c47fe16ed4
File name: D787AC_1E958EAED76B.doc

SHA256: 822d8b6337f038dc0c7539627bb15002d87e11038397551562526f618c9b7316
File name: DD3B_243B8F088.doc (CORRUPT)

SHA256: 98c1fc2273f229ee5d6251c670b70441a517e9ecd528c1359e705d7db320dd1e
File name: DD9AE_C498F418F6E.doc

SHA256: dd47152f0db81604810a0db7e0c1b2e14c0eb592e9c7ed59d385326a3b02a10e
File name: EFEC_E6171470538.doc (CORRUPT)

SHA256: f9ce9a36fbb85725cbf2c7442c10b062ecf4dd54b2c4522788e3a744b8c1ef60
File name: 601783_5AA0FAF8B.doc (VIRUSTOTAL SEEN BEFORE!)

SHA256: abf498119801c773a0d4b7226119abbb58d437d5d1f9415473861759278b1db1
File name: F5906_E35F63DFA48E.doc (CORRUPT)

SHA256: 09884699eaa7874e70455d48389b2e6a96eac80f2bef459bf675b942ffaaa00b
File name: F7933_32C6CD62F6501F.doc (CORRUPT)

SHA256: 95a81eeec3e6692e9e0df7569d0424ed8837b39bc76928e109d6c969e6ea88f2
File name: FCDA9_791D9BDC6057.doc

SHA256: b6acde94687e304857d78db362489d7656b1b45e0dcf7eddbcf2ec035600a9b8
File name: FE0C_2FDC1FA909C1.doc (CORRUPT)

SHA256: 564fa2eca169b5940b661c9ed3aaa0b1c84955ced1195ed53a8277c4619ccef2
File name: FFEA6_56C9F354E7AE0D.doc (CORRUPT)

Unlike previous virus runs, where others had been sent the same attachments, – VirusTotal had not seen any of my samples except for one!

The files have internal references to: C:/EC2C4CD1. Quite a few of the attachments, as with previous spam runs, seem to be corrupted and just MIME encoded binary.

When a working document is opened it contacts:

http://pastebin.com/download.php?i=x0XTHK8D

You can view the plain text version here.

This downloads a windows scripting host script which then accesses the following:

http://31.41.46.99/bt/bt/get.php
This address serves up the following junk..
SHA256: 2207825b37f115119e15d23f2a56b3a1ff3310ebb737e38f9062010686a8f1f1
Filename: crypted.120.exe (Malwr Report)

31.41.46.99 resolves to “goforexmoneytake.ru” but the forward doesn’t resolve.
inetnum: 31.41.40.0 – 31.41.47.255
netname: RELINKHOST-NET
descr: Relink LTD
country: RU
The machine identifies it’s hostname as starforlight.com / mx.starforlight.com (which doesn’t resolve to the 31. IP address). It instead resolves to 50.7.202.18 which also serves up the malware dropper file.. while investigating I also somehow found another IP 50.7.207.178 which also serves up the same malware under the same URL.

This is strange and potentially means that the 31.41.46.99 IP is just an nginx reverse proxy. The 57.7.20* IP range is FDC servers in the USA and nowhere near Russia (where everything else ‘claims’ to be).

Net Range 50.7.192.0 – 50.7.255.255
CIDR 50.7.192.0/18
Name FDCSERVERS-ZLIN
Handle NET-50-7-192-0-1

http://savepic.ru/7051856.png

http://savepic.ru/7052880.png

It then spawned a .exe, SHA256: 868b5243cfbf4b44fd8f0bc1350d3c177499a92f475a4b3928000efd9528d158,  which then accessed:

https://5.63.154.228:5443/
5.63.154.228 resolves to “miestilo.ru”
inetnum: 5.63.152.0 – 5.63.155.255
netname: REGRU-NETWORK
descr: Reg.Ru Hosting
country: RU
The SSL Certificate was generated quiet a while ago compared to others spam of this ilk. The certificate has some interesting properties:

Serial Number: ‎00 c2 8d c1 42 20 1d 23 69 / Thumb Print: ‎c0 b0 6e ce e5 d1 ac b1 a7 f7 b0 7f 9e a7 50 3c 9e a5 f4 af
Valid from ‎18 ‎May ‎2015 08:20:10

CN = showtits4.me
OU = IT Department
O = Facebook Porn PTY
L = Miami
S = California
C = US

and

https://62.76.191.84:5443/
62.76.191.84 resolves to “62-76-191-84.clodo.ru”
inetnum: 62.76.176.0 – 62.76.191.255
netname: Clodo-Cloud
descr: IT House, Ltd
org: ORG-IHL2-RIPE
country: RU
The SSL Certificate was also created around the same time as the other host and contains the same interesting owner properties:

Serial Number: ‎00 b5 5e 2b ac d5 01 5b e6 / Thumb Print: ‎0b 0d 83 8a e8 86 41 2b 31 a3 f6 f0 e9 75 6d 4c 27 5d be 6c
Valid from: ‎18 ‎May ‎2015 08:28:02

CN = showtits4.me
OU = IT Department
O = Facebook Porn PTY
L = Miami
S = California
C = US

The .exe then quit, presumably detected a virtual machine and ended execution?

While researching I also came across two files:

SHA256: 37121ecb7c1e112b735bd21b0dfe3e526352ecb98c434c5f40e6a2a582380cdd
File name: test_calc.exe
Which appears to be a genuine copy of calc.exe

and

SHA256: 9dc8c8e25c3343bc357d30fd7acc198290d5e6e8137a725fce1528581b205a5f
File name: crypted.122.exe (Malwr Report)

Which I presume were some files they were testing side-loading with.. why have a genuine unaltered Microsoft file otherwise?

Above I mentioned a domain: starforlight.com which has the following registration information at the moment:

Registrar: Domain names registrar REG.RU LLC
Registrant Name: Ustas Stillavichus
Registrant Organization: Private Person
Registrant Street: 11. novembra krastmala 17/2
Registrant City: Riga
Registrant State/Province: Riga
Registrant Postal Code: LV-1050
Registrant Country: LV
Registrant Phone: +37177026101
Registrant Email: ketynemuk@yandex.ru

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s