Today a customer asked me about a suspicious e-mail…
Not much to identify this one as the e-mail is short and looks very genuine.
It looked very much like this:
From: belinda.taylor@bssgroup.com
Sent: Monday, July 27, 2015 9:32 AM
To: REDACTED.REDACTED@REDACTED.com
Subject: copy
Attachment: 13409079779.docmAs requested
There isn’t much to give away that this is potentially wrong. The slight giveaway is a .docm format rather than a .docx format (a macro document rather than a normal document). However people make mistakes and the sender may have accidentally saved the file in the wrong format.
The attachment was:
SHA256 fdf8b9d41404ba4121abf1fab7793cce1edf85f35abc4fa787040f87ccebfdc2
VirusTotal Report
When run the macro fetches
http://terrasses-de-santeny.com/yffd/yfj.exe
SHA256 4780f07a4646c83fb376864898194887930c48b2328ce73e5b3a133ecd7bd1e0
VirusTotal Report / Malwr Report
Which then also sends and requests data from
https://93.171.132.5:743/
This links the file to the other spam run today:
https://thecomputerperson.wordpress.com/2015/07/27/tp-e-billing-for-jul-15-seq-no-0006-0866aer147-region-033-docm-spam-run/
A couple of interesting things come out of the above https communication. Firstly the certificate for the https connection was generated on the 8th July, so the C2C server has been setup “quite some time” in the scheme of these kinds of spams.
Also the attributes in the certificate may help track down similar C2C servers:
CN = coreryfacorm.gg
OU = gay team
O = protectthegays
L = Quebeck
S = Monreal
C = CA
The dead giveaway from a sysadmin point of view was the originating server wasn’t legitimate and the sender address had delivered messages to multiple destination addresses at the domain!
Which indeed does reveal other IPs who have used similar certificates:
91.121.91.221 on port 1443
151.248.123.100 on port 743 (now showing a different certificate see [1] below)
46.19.136.211 on port 443
87.236.215.151 on port 80
69.164.213.85 on port 1443 (now showing a different certificate see [2] below)
[1] This IP is now showing a different certificate:
CN = thecupomoban.ee
OU = bushes
O = clan
L = Springfield
S = TX
C = US
[2] This IP is now showing a different certificate:
CN = laliveeralior.ch
OU = Widgits pty
O = Microsoft
L = Blackfield
S = MN
C = US
Thankfully, as a lower level spam run had occurred the other day using .docm attachments – the attachment was already blocked across all the mailservers I manage.
thecomputerperson 
Pingback: “TP E-Billing for Jul 15 Seq No 0006 (0866AER147) Region 033″ docm Spam run | thecomputerperson
Pingback: Convincing virus e-mail “Your latest Chess Bill Is Ready” | thecomputerperson