MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “UKMail 988271023 tracking information”.

This email is send from the spoofed address “no-reply@ukmail.com” and has the following body:

UKMail Info!
Your parcel has not been delivered to your address November 23, 2015, because nobody was at home.
Please view the information about your parcel, print it and go to the post office to receive your package.

Warranties
UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service.
Where the law prevents such exclusion and implies conditions and warranties into this contract,
where legally permissible the liability of UKMail for breach of such condition,
guarantee or warranty is limited at the option of UKMail to either supplying the Service again or paying the cost of having the service supplied again.
If you don’t receive a package within 30 working days UKMail will charge you for it’s keeping.
You can find any information about the procedure and conditions of parcel keeping in the nearest post office.

Best regards,
UKMail

The attached file 988271023-PRCL.xls 118 kB large Excel file with embedded malicious macro script that will download a trojan from a host.

The malware is known as LooksLike.Macro.Malware.gen!x3 (v) or X97M.Dropper.KV.

At the time of writing, 3 of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 6154fd92261dd65f02dad954db7ee9950251a0c4b3a8a2f40cc9c1b714927692

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Request for payment (PGS/73329)”.

This email is send from the spoofed address “PGS Services Limited <rebecca@pgs-services.co.uk>” and has the following body:

Although we have contacted you already our system is still showing that the invoice remains unpaid.

RST Support Services Limited
Rotary Watches Ltd
2 Fouberts Place
London

W1F 7PA

Full details are attached to this email in DOC format.

Click here to make a payment
If there is any reason why payment should not be made or if you are experiencing difficulties with making the payment please get in touch so that we can discuss the matter and stop the recovery process.

Kind regards,

Rebecca Hughes

Customer services team
PGS Services | Expert Property Care

Direct dial: 0203 819 7054
Email: rebecca@pgs-services.co.uk
Visit our website: www.pgs-services.co.uk

10 quick questions – tell us what you think!
http://www.pgs-services.co.uk/feedback/

The embedded URL/button with “Click here to make a payment” leads to hxxps://www.pgs-services.co.uk/secure/pgs-payment.php?a=73329&b=3&c=6555&d=649a79cf0342f920d6b62e7f73777dc9&e=865c0c0b4ab0e063e5caa3387c1a8741 but so far we haven’t been able to make any connections.

The attached file 3-6555-73329-1435806061-3.doc is a 115 kB large Excel file with embedded malicious macro script that will download a trojan from a host.

The Word malware is known as LooksLike.Macro.Malware.gen!d3 (v), HEUR.VBA.Trojan.B or W97M.Dropper.KV.

At the time of writing, 4 the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 70084c788933a1bbff1bf87df316caf4d79cdff6add65c99b637004779b1b815

Update 01/12/2015 – 14:40:

The macro can download the trojan from the following locations:

rotulosvillarreal.com/~clientes/6543f/9o8jhdw.exe
cru3lblow.xf.cz/6543f/9o8jhdw.exe
data.axima.cz/~krejcir/6543f/9o8jhdw.exe

The trojan can make connections to the following IPs:

94.73.155.12
89.32.145.12
221.132.35.56
157.252.245.29

The trojan is known as UDS:DangerousObject.Multi.Generic or QVM19.1.Malware.Gen.

The file 168 kB large file 9o8jhdw.exe is detected by 2 of the 55 AV engines did detect the trojan at Virus Total.
SHA256: b8e71df7a2236f1cf65ba6be02a6615217b61166e71164979d23d7254a446d1b

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Purchase Order  124658”.

This email is send from the spoofed address “Gina Harrowell <gina.harrowell@clinimed.co.uk>” and has the following body:

Sent 2 DEC 15 09:18

CliniMed Ltd
Cavell House
Knaves Beech Way
Loudwater
High Wycombe
Bucks
HP10 9QY

Telephone 01628 850100
Fax 01628 850331

From: CliniMed Limited

Company Registration No: 01646927

Registered Office: Cavell House, Knaves Beech Way,
Loudwater, High Wycombe, Bucks, HP10 9QY

The contents of this e-mail are confidential to the sender and the addressee. If you are not the addressee, or responsible for delivering to the addressee, please notify us immediately by telephoning our IT Support on 01628 850100 (UK) or +44 1628 850100 (international) and delete the message from your computer without copying or forwarding it or disclosing its contents to any other party. CliniMed Limited cannot accept any responsibility for changes made to this message after it was sent and you should not rely on information given in the message without obtaining written confirmation. It is the responsibility of the addressee to scan incoming mail for viruses and CliniMed Limited accepts no liability or responsibility for viruses. Opinions expressed in this e-mail are those of the sender and may not reflect the opinions and views of CliniMed Limited.

The attached file P-ORD-C-10156-124658 is 94 kB large and is an Excel with malicious macro.

The Excel is detected as LooksLike.Macro.Malware.gen!x3 (v), Trojan.Script.MLW.dyxcgi, heur.macro.download.cc or HEUR.VBA.Trojan.

At the time of writing, 5 the 55 AV engines did detect the Excel malware at Virus Total.
SHA256: 96a1cc638a0beecce0fd3ada82901009993d0ef5f76dac4e6ccf30ce2d3bc8ea

The malcious macro in the Excel file will download additional 328 kB large malware executable from the following hosts:

det-sad-89.ru/4367yt/p0o6543f.exe
vanoha.webzdarma.cz/4367yt/p0o6543f.exe

The trojan is known as Troj.Downloader.W32.Obfuscated, BehavesLike.Win32.Dropper.fh or HEUR/QVM10.1.Malware.Gen.

At the time of writing, 3of the 54 AV engines did detect the trojan at Virus Total.
SHA256: 450349f6ceede5c78f6eb26af82b1e5e7771b269fbb5bba7419d5a26d6b03f0c

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Aline Payment Request”.

This email is send from the spoofed address “Bruce Sharpe <bruce@alinepumps.com>” and has the following body:

ATTENTION: ACCOUNTS PAYABLE

Dear Sir/Madam,

Overdue Alert

Our records show that your current balance with us is �2795.50 of which �2795.50 is still overdue.

Your urgent attention and earliest remittance of this amount would be appreciated.

We value your business and we would like to resolves any issues as quickly as possible. I am personally available on (02) 8508 4900 or bruce@alinepumps.com

Sincerely,

Bruce Sharpe – Accounts Receivable

PO Box 694 Engadine NSW 2233 P. 02 9544 9999 F. 02 9544 8599 E. bruce@alinepumps.com

The attached file Statement_1973_1357257122414.doc is a 90 kB large Word file with malicious macro that will download additional malware.

The Word malware is detected as Trojan.Script.MLW.dyxcgi, HEUR.VBA.Trojan, heur.macro.download.cc or Trojan-Downloader/W97M.Iron.

At the time of writing, 4 the 54 AV engines did detect the trojan at Virus Total.
SHA256: d9db7d32949c4df6a5d9d0292b576ae19681be7b6e0684df57338390e87fc6d6

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Invoice from DATANET the Private Cloud Solutions Company”.

This email is send from the spoofed address “Holly Humphreys <Holly.Humphreys@datanet.co.uk>” and has the following body:

Dear Accounts Dept :

Your invoice is attached, thank you for your business.

If you have any queries please do not hesitate to contact us.

Regards

DATANET.CO.UK
01252 810010 Accounts Support from 9am to 5.30pm Monday to Friday
01252 813396 Technical Support from 8am to 8pm Monday to Friday

Please reply to Accounts@datanet.co.uk
________________________________
Holly Humphreys
Operations
Datanet – Hosting & Connectivity
E:

Holly.Humphreys@datanet.co.uk

W:

www.datanet.co.uk <http://www.datanet.co.uk>

T:

01252 810010

F:

01252 813391

S:

01252 813396 – Normal Support: 8am-8pm Mon-Fri, Critical Break Fix Support: 24×7

DATANET.CO.UK Limited, Cloud Hosting & Connectivity Service Provider. Datanet is an ISO 9001 & ISO 27001 certified
business with the mantra of “CIA” – “Confidentiality, Integrity and Availability” at the heart of our private cloud solutions.

Information contained in this communication is confidential or restricted and is solely for the use of the intended recipient and others authorised to receive it.
If you are not the intended recipient you are hereby notified that any disclosure, distribution or action taken based on this email is prohibited and may be unlawful.

Registered Office: DATANET.CO.UK Limited, Aspen House, Barley Way, Ancells Business Park, Fleet, Hampshire, GU51 2UT Registered in England – No. 03214053

The attached file named C/\Users\HOLLY~1.HUM\AppData\Local\Temp\Inv_107666_from_DATANET.CO..xls is an Excel sheet with malicious macro.

The malicious Excel sheet is detected as LooksLike.Macro.Malware.gen!x3 (v) or heur.macro.download.cc by 3 of the 55 engines at Virus Total.
SHA256:b6aec60340d848714df78289f6734d4b3d877dacaea7e70e78bed0ccd4b8b4e7

The macro will download the following file:

encre.ie/u5y432/h54f3.exe

The trojan is known as HEUR/QVM10.1.Malware.Gen by 1 of the 52 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 69baedcd4300842e9d2c7c2938bbfcfdb65cf384c6fd8e3b2622f2e1546c9bb7

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “ICM – Invoice #2393” which is to be believed a continuation of the previous campaign “Invoice from DATANET the Private Cloud Solutions Company” since the executable that will be downloaded by the Word macro is the same.

This email is send from the spoofed address “Industrial Cleaning Materials (ICM) <sales@icmsupplies.co.uk>” and has the following body:

Dear Customer,

Please find invoice 2393 attached.

Kind Regards,
ICM

Industrial Cleaning Materials
Unit 19 Highlode Ind Est
Stocking Fen Road
Ramsey
Huntingdon
Cambridgeshire
PE26 2RB

Tel: 01487 800011
fax 01487 812075

The attached file order_2393.doc is a Word file with embedded malicious macro.

2 of the 54 AV engines did detect the Word file as malware at Virus Total with the name: heur.macro.download.cc or Trojan-Downloader/W97M.Iron. SHA256: 00ab8a1a2bfa99a92e0cacaaf1e7ca1af6c8cc0eab6f070f157ec9c2d7f03a51

The macro will download the execuatble h54f3.exe from the following locations found below.

http://www.ofenrohr-thermometer.de/u5y432/h54f3.exe
ante-prima.com/u5y432/h54f3.exe

The trojan is known as HEUR/QVM10.1.Malware.Gen by 1 of the 52 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 69baedcd4300842e9d2c7c2938bbfcfdb65cf384c6fd8e3b2622f2e1546c9bb7

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Your order #47994403 – Corresponding Invoice #7704B491”.

This email is send from the spoofed address “Jose Soto <SotoJose85350@gd-avocat.ch>” and has the following body:

Dear Valued Customer,

We are pleased to inform you that your order #47994403 has been processed and ready to be dispatched. However, according to our records, above mentioned invoice is still unpaid.
We would highly appreciate if you sent your payment promptly. For your information, don’t hesitate to check the invoice enclosed to this letter or contact us directly.
In case if you have already sent your payment, please disregards this letter and kindly allow us up to 3 business days to clear the incoming payment.

We look forward to your remittance and will the dispatch the goods.

Thank you for choosing our services we sincerely hope to continue doing business with you again.

Sincerely,
Jose Soto

Sales Department Manager
Fretter Inc.
2715 Sycamore Road
Nyssa, OR 97913

The attached file copy_invoice_47994403.zip contains the 12 kB large file invoice_SCAN_esNDV.js which is in fact an obfuscated Javascript that will download other malicious files from remote hosts.

The malicious script is detected as S/Downldr.CZ.gen or BehavesLike.JS.ExploitBlacole.zv. by 2 of the 55 AV engines did at Virus Total.
SHA256: 6d0f812ca90175e117062644b4c917dad640cd830986ace2463adc42dd6e270e

Update 09/12/2015 – 15:55:

Further analysis show us that the malicious Javascript isn’t web browser compatible but needs to be used in the Windows Scripting Host. Malware is downloaded from the following host:

46.151.52.197/85.exe
softextrain64.com/86.exe
46.151.52.197/86.exe

The 360 kB large executable is detected as  Win-Trojan/Teslacrypt.Gen, HW32.Packed.323C, BehavesLike.Win32.Downloader.fh or QVM20.1.Malware.Gen by 4 of the 54 AV engines did at Virus Total.
SHA256: 7b3ed4c70749a6db99a30233441def814b804dab692a67a45a88e32f8a83cf3b

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Reference Number #10207614, Last Payment Notice” (numbers in the subject will vary).

This email is send from the spoofed address “Raul Booth <BoothRaul64156@bulshit.org>”, is signed by Paul Booth from the company Foreman&Clark Ltd.

The email has the following body:

Dear Client,

This e-mail is pursuant to your contract with Foreman&Clark Ltd. for our services date November 15, 2015 for the amount of $6,137.
Your failure to pay as per the December 1, 2015 invoice equals to the breach of our contract.

Please, acknowledge the receipt of this e-mail within three business days. Please, make your payment to the corresponding account, stated in the invoice attached no later than January 2, 2016.
In case you fail to respond to this e-mail we well be compelled to pursue all the necessary legal actions.

Thank you beforehand for your attention to this case.
Looking forward to hearing back from you.

Sincerely,
Raul Booth
Sales Manager

Foreman&Clark Ltd.
256 Raccoon RunSeattle,
WA 98101

The attached file copy_invoice_10207614.zip contains the 16 kB large file invoice_copy_dXSLK7.js that contains an obfuscated Javascript.

This new technique seems to be trending because this campaign has similar characteristics like the campaign Malicious script attached to email “Your order #47994403 – Corresponding Invoice #7704B491”. The malicious Javascript isn’t web browser compatible but needs to be used in the Windows Scripting Host environment.

The malicious script is known as JS/Downldr.CZ.gen or JS/Downldr.CZ.gen.

At the time of writing, 3 of the 53 AV engines did detect the malware at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 4f52bea6b608d1fe17a25f15b7158ae4581752811adb145434cc693a8dab6d21

The Javascript can make contact with the following hosts/IPs:

46.151.52.196
softextrain64.com

The file 336 kB large file 80.exe will be downloaded from 46.151.52.196/80.exe?1 in our sample.

The malware is known as Trojan.Win32.Swizzor.1!O, HEUR/QVM10.1.Malware.Gen or Mal/Wonton-BX.

At the time of writing, 3 of the 54 engines did detect the malware at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: c5c2f7c25584cefa879cee52ba300404d1a123a5e5b73638826ae45951a8f7b6

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “STMT ACWL-15DEC12-120106”.

This email is send from the spoofed address “”accounts@mamsoft.co.uk” <statements@mamsoft.co.uk>” and has the following body:

The following are attached to this email:
XACWL-15DEC12-120106.DOC

The attached file XACWL-15DEC12-120106.DOC is a Word with malicious macro that will download the payload from a remote host.

The malicious Word file is known as HEUR.VBA.Trojan, Trojan:W97M/MaliciousMacro.GEN, Trojan.Script.Dinihou.coscqs, heur.macro.download.cc or Trojan-Dropper/W97M.Bouen by 6 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: d24ce045246fd4ac7e959dbf82a4a16ae445b014b0d70319c2506a53183a3a7d

The macro will download from life.1pworks.com/76t7h/76gjk.exe the 238 kB large executable 76gjk.exe that is detected as BehavesLike.Win32.Downloader.dc or HEUR/QVM07.1.Malware.Gen by 2 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 5314fde2ed059597ceefd24e94ff13d97c33375f20b0aea4f6a8d855aa048dc8

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Order 311286 Acknowledged”.

This campaign is a variant to the campaign New Word malware: STMT ACWL-15DEC12-120106 from mamsoft.co.uk because analysis of the file by Malwr is referring to the file XACWL-15DEC12-120106.DOC that is also used. The difference lies with the email and the renaming of the Word document.

This email is send from the spoofed address “sales@touchstonelighting.co.uk” and has tan empty body.

The attached file Order Acknowledgement.doc is a Word with malicious macro that will download the payload from a remote host.

The malicious Word file is known as HEUR.VBA.Trojan, Trojan:W97M/MaliciousMacro.GEN, Trojan.Script.Dinihou.coscqs, heur.macro.download.cc or Trojan-Dropper/W97M.Bouen, WM/Agent!tr by 6 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: cf17078aa0d42f48defd04cacdd54088b20a571be454e68495583142dc137a11

The macro will download from gunugun.com/76t7h/76gjk.exe the 238 kB large executable 76gjk.exe that is detected as BehavesLike.Win32.Downloader.dc or HEUR/QVM07.1.Malware.Gen by 2 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 5314fde2ed059597ceefd24e94ff13d97c33375f20b0aea4f6a8d855aa048dc8

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Invoice #62657921/58739D0D” (characters in the subject vary with each email).

This email is send from the spoofed address “Franklin Goff <GoffFranklin0252@everythingcreativedesigns.com>” and has the following body:

Dear Client,

Our finance department has processed your payment, unfortunately it has been declined.
Please, double check the information provided in the invoice down below and confirm your details.

Thank you for understanding.

The attached file SCAN_invoice_62657921.zip (numbers may vary) contains the 8 kB large file invoice_PZCM5P.js that is a obfuscated Javascript. The malicious Javascript isn’t web browser compatible but needs to be used in the Windows Scripting Host environment.

The malware is detected as JS/Downldr.CZ.gen, JS/TrojanDownloader.Nemucod.CK, JS/Crypt.A!tr, BehavesLike.JS.ExploitBlacole.zv or Trojan.Script.Kryptik.dzcqji. by 5 the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 8f1ab7d35175410e63b706454a826059573660e9c27ca1929108b6dc52b454ef

The Javascript can make contact with the following hosts/IPs:

New malware is downloaded from hxxp://46.151.52.231/87.exe?1.

The 426 kB large executable 87.exe will be downloaded

The malware is detected as UDS:DangerousObject.Multi.Generic, a variant of Win32/Injector.COFK, BehavesLike.Win32.PWSZbot.gc, PE:Trojan.Ransom-Tesla!1.A322 [F], Trojan.Win32.R.Agent.425984.E[h] by 6 of the 55 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 9c289d9426d6f565cb640d2ccb49ee0af989463cbdb7cbdab6110997808c4061

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Bestellung Nummer 34165268” (number will vary in each email). This email is in German and so far, according to our global logs, targeting mailboxes with a .de domain.

This email is send from the spoofed address “Albrecht Klein <KleinAlbrecht563@orange.es>” and has the following body:

Sehr geehrte Damen und Herren,
anbei erhalten Sie eine neue Bestellung von der Firma BSH Hausgeräte GmbH.
Geben Sie bitte die Bestellnummer auf der Rechnung an, so dass eine schnelle Zuordnung und damit Veranlassung der Zahlung gewährleistet ist.

Mit freundlichen Grüßen,
BSH Order Center

—
Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
https://www.avast.com/antivirus

The attached file invoice34165268.doc (number  in file name will vary in each email), 25 kB large, is a Word file with malicious macro.

The malware is detected as CXmail/OleDl-A by 1 of the 54 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 3d495445a2d14e4af7eb7a7c3806fe759d1ee55c5f06923e3472b2c8fda0814d

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Euromaster – Rechnung – 61960508 – 11.12.2015” (number will vary in each email).

This email is in German and so far, according to our global logs, targeting mailboxes with a .de domain and is also a variant on the previous campaign New Word malware: email “Bestellung Nummer 34165268” from BSH Order Center.

This email is send from the spoofed address “Ferdinand Neumann <NeumannFerdinand780@business.telecomitalia.it>” and has the following body:

Sehr geehrte Damen und Herren,

anbei Ihre online Rechnung 61960508 vom 11.12.2015 über 256,82 €.

Bei Rückfragen wenden Sie sich bitte an Ihren zuständigen EUROMASTER Experten oder senden Sie eine E-Mail an: ****

Wir freuen uns auf eine weiterhin erfolgreiche Zusammenarbeit und verbleiben mit freundlichen Grüßen

Ihre EUROMASTER Experten für Reifen, Räder und Autoservice

———————–
Euromaster GmbH
Mainzer Straße 81
67657 Kaiserslautern

The attached file invoice61960508.doc (number in file name will vary in each email), 25 kB large, is a Word file with malicious macro.

The malware is detected as CXmail/OleDl-A by 1 of the 54 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: e3cd8ed1f2cafd4be1c5f630d56201fd09f6d4fdd4f25eb41aab40450ab1c19a

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “FW: Scan from a Samsung MFP”.

This email is send from the spoofed address “Gareth Evans <gareth@cardiffgalvanizers.co.uk>” and has the following body:

Regards

Gareth

—–Original Message—–

Please open the attached document. It was scanned and sent to you using a
Samsung MFP. For more information on Samsung products and solutions, please
visit http://www.samsungprinter.com.

This message has been scanned for malware by Websense. http://www.websense.com

The attached file Untitled_14102015_154510.doc is a Word file with malicious macro that will download new malware from:

hxxp://test1.darmo.biz/437g8/43s5d6f7g.exe

The malware is detected as LooksLike.Macro.Malware.gen!d1 (v), heur.macro.download.cc or Troj/DocDl-BC by 7 the 55 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 33fee8120dc8e45b20dd17060ed941a9b90142d9254a2ec5ec89196015f6380a

The executable 43s5d6f7g.exe is 193 kB large and is detected as QVM20.1.Malware.Gen by 1 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 142e24ba1fdcf998986e526bf2e85dfbc9fe627e5b7b29033ffb45ace6e2c716

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Invoice 15069447 from Cleansing Service Group”.

The malware that will be downloaded by the malicious Word macro, is already being used for a different malware campaign so the email is in fact a variant on “FW: Scan from a Samsung MFP“.

Also note that at this point, the malware on the host has been removed. However, a new download host can be used at any time so remain careful when receiving this kind of emails.

This email is send from the spoofed address “CSG <accounts@csg.co.uk>” and has the following body:

Please see attached invoice from Cleansing Service Group.
Any queries please do not hesitate to contact us.

Cleansing Service Group
Chartwell House
5 Barnes Wallis Road
Segensworth East
Fareham
Hampshire
PO15 5TT
Tel: 01489 776312
Fax: 01489 881369
E-mail: accounts@csg.co.uk
Web: http://www.csg.co.uk

Join us on LinkedIn Follow us on Twitter Like us on Facebook

This email (and any associated files) is intended solely for the use of the intended recipient(s) and may contain information that is confidential, subject to copyright or constitutes a trade secret. Any views or opinions expressed in this email are solely those of the author and do not necessarily represent those of Cleansing Service Group Ltd. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this email is strictly prohibited. If you have received this email in error please notify us immediately by replying to the message and deleting it from your computer. Emails sent to and from us may be monitored.

Cleansing Service Group Ltd – http://www.csg.co.uk

Registered Address: Chartwell House, 5 Barnes Wallis Road, Segensworth East, Fareham, Hampshire, PO15 5TT

Registered in England and Wales – Number 530446

The attached file 15069447.doc is a Word file with malicious macro that will download new malware from:

hxxp://test1.darmo.biz/437g8/43s5d6f7g.exe

The malware is detected as LooksLike.Macro.Malware.gen!d1 (v), heur.macro.download.cc or Troj/DocDl-BC by 6 of the 55 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: af3bc183a3fdb6d93267aeabeb339bb519468a991d99f2ef4008d81667f693a8

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Betreff: E2DF65AC” (combination will vary with each email).

This email is send from different spoofed email addresses and has the following body:

Ihre Rechnung von der Büromarkt Böttcher AG

Sehr geehrte Damen und Herren,

vielen Dank für Ihren Auftrag. Dieser wird umgehend durch unser
Logistikzentrum versendet.

Beiliegend erhalten Sie Ihre Rechnung.

Ihre Kundennummer: D81288800
Ihre Rechnungsnummer: 098ABF5E

Mit freundlichen Grüßen
Ihr Team der Büromarkt Böttcher AG

Büromarkt Böttcher AG

Anschrift:
Brüsseler Straße 3
07747 Jena
Vorstand:
Helge Bauer

*14 Cent inkl. MwSt./Min aus dem deutschen Festnetz Mobilfunkhöchstpreis 42
Cent inkl. MwSt./Min

The attached file invoice71703875.doc (number in the filename will vary with each email) is a 25 kB large Word file with malicious macro.

The malware is detected as Trojan.MacroDown.Gen.TN by 1 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: adcec267f659a412730c1296a200c2603ebeec68633aa792eb9af175fe56342b

The embedded macro will make connection with the following URL: hxxp://179.60.144.18/captain/black.php

The  119 kB large executable _123.exe will be downloaded and this malware is detected as HW32.Packed.3A08, BehavesLike.Win32.Fednu.cc, PE:Malware.Generic(Thunder)!1.A1C4 [F] or Trojan.Win32.Generic.pak!cobra by 7 of the 55 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 36d87d3b0568effe100a4b5716eedde2840802dac6d4bd187986f45b342bf5f3

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Order PS007XX20000584.

This email is send from the spoofed address “Nicola Hogg <NHogg@pettywood.co.uk>” and has an empty body.

The attached file PS007XX20000584 – Confirmation with Photos.DOC contains the xx kB large file xxxxx.

The malware is detected as Trojan:W97M/MaliciousMacro.GEN, Macro.Trojan-Downloader.Agent.KF LooksLike.Macro.Malware.gen!d1 (v) by 5 of the 55 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 28e5175f9dec6a1d176db23e5e4e068a0782e02c046c049d3f90b0884d626e77

Malware will be downloaded by the embedded malicious macro from kutschfahrten-friesenexpress.de/8iy45323f/i87645y3t23.exe

The malware is detected as HEUR/QVM19.1.Malware.Gen or PE:Malware.XPACK-LNR/Heur!1.5594 [F] by 2 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256:  6b20d33e98443022bf235d483f3dcbe607dfea9cf86f191489b730b8eb22e217

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Documentation: Your Order Ref: SGM249/013”.

This email is send from the spoofed address “Jonathan Carroll <Jonathan@john-s-shackleton.co.uk>” and has the following body:

Your Order: SGM249/013
Our Order: 345522
Advice Note: 355187
Despatch Date: 22/12/15

Attachments:
s547369.DOC Shackleton Invoice Number 355187

John S. Shackleton (Sheffield) Ltd
4 Downgate Drive
Sheffield
S4 8BU

Tel: 0114 244 4767
Fax: 0114 242 5965

E-mail: sales@john-s-shackleton.co.uk
Web: www.johnsshackleton.co.uk

Phone us for a free stock brochure.

Our product range includes: Beams, Columns, Pfc’s, Channels, Flats, Rounds, Squares, Angles, Tees, Convex, ERW Tubes, Hollow Section, Cold Reduced Sheet, Hot Rolled Sheet Galvanised Sheet, Zintec Sheet, Floorplate, Open Mesh Flooring, Handrail Standards, Tube, Tubeclamps. Welded Mesh, Expanded Metal, Perforated Sheet, U Edging, Fencing and Bright Bar.

IMPORTANT NOTE

Our Terms and Conditions of Sale apply to all quotations and the supply of all goods. Copies of our Terms and Conditions of Sale are available on request or can be found on our website www.johnsshackleton.co.uk . These Terms and Conditions include a provision (see term 12) that title to goods supplied shall not pass to a customer until payment is received by us in full for all goods supplied. We only accept orders for the supply of goods on the basis our Terms and Conditions of Sale apply.

The attached file s547369.DOC is a Word file with embedded malicious macro.

The malware is detected as HEUR.VBA.Trojan, Trojan:W97M/MaliciousMacro.GEN or heur.macro.download.cc by 4 the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: a3d10e08999093b212be81c3294c0e4dbb90a9a5783179c1158b6fe20af15ed2

Malware is downloaded by the macro from wattplus.net/98g654d/4567gh98.exe

The file 4567gh98.exe is detected as Trojan.Win32.Injector.cdgy (v), PE:Malware.Obscure!1.9C59 [F] or UDS:DangerousObject.Multi.Generic  by 6 of the 55 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 4985218139506968b541187195a7612ed6da398c88a8ba124201820a617d7d25

MX Lab, http://www.mxlab.eu, started to intercept a new variant of a previous malware distribution campaign by email but this time with the subject “Invoice No.504514”, where the fake email is sent from the spoofed address “Sharon Samuels <sharons31@brunel-promotions.co.uk>” and has the following body:

 Good morning

Please find attached your latest invoice, for your attention.

Please be advised that your goods have been despatched for delivery.

Regards

Sharon

——————————————–
Calendars and Diaries of Bristol Limited
Hope Road
Bedminster

BRISTOL
Bristol
BS3 3NZ
United Kingdom
Tel:01179636161
Fax:01179664235

The attached file IN504514.xls is an Excel sheet with malicious macro that will download other files.

The malware is detected as HEUR.VBA.Trojan, Trojan:W97M/MaliciousMacro.GEN or heur.macro.download.cc by 4 of the 54 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 3022caeffabdcbcd6d7d84ad24a1b7f17aedfffe3c743751dc88445c07566852

The macro will download the file from the following host:

hxxp://winnig.privat.t-online.de/98g654d/4567gh98.exe

The downloaded file, 4567gh98.exe, is the same malware as specified in the previous campaign New Word malware: Documentation: Your Order Ref: SGM249/013.

MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Your account has a debt and is past due”.

This email is send from several different spoofed addresses like for example Joan French <FrenchJoan29930@sgnet-rs.com.br> and has the following body:

Dear Customer,

Our records show that your account has a debt of $649.{rand(10,99)}}. Previous attempts of collecting this sum have failed.

Down below you can find an attached file with the information on your case.

The attached file SCAN_INVOICE_01599126.zip contains the 25 kB large file invoice_SCAN_B1JY6.js.

The malware is detected as JS/Downloader.Agent, JS/Downldr.CZ1!Eldorado or Trojan.Script.Kryptik.dzcqji by 3 of the 53 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: b91d5633d42db37f348ea23cd7bb6cccbad86a8720521ac86f70dc10780d697d

The Javascript will download other malware from the host hxxp://whatdidyaysay.com/80.exe?1

The malware 80.exe is detected as PE:Trojan.Kryptik!1.A32E [F], QVM10.1.Malware.Gen by 2 of the 55 AV engines at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: cd62195a5d75e7dcd3e6a7c0a8699a824a56350b0d7bf45ea113889ce360cb81