07/03/2018
11:56

March 07, 2018 malware spam campaigns via email to Italy


March 07, 2018 malware spam campaigns via email to Italy
      
 
 
 

TG Soft's C.R.A.M. (Anti-Malware Research Center) examined  malware campaigns spread via email to Italian users March 07, 2018

Cyber-criminals developed "Social engineering" methods for fraudulent mass mailings, to induce the victim to open infected attachments or click on links in the body of the message.

If you received a suspicious email, send it to C.R.A.M. (Center for Anti-Malware Research): How to send suspicious emails

INDEX

 


Campaign "New order!"

Malware family: Adwind
VirIT: Trojan.Java.Adwind.ADB

Description:
Below you can see a sample email from the campaign "New order"

Subject: New order


Buongiorno,

Dear Mr,

 

Sirs,

Good morning. Thanks for your reply. ^^

We sent our new order(P/O SAT-18-014) by e-mail.

Please find the attached PURCHASE ORDER of P/O SAT-18-014.

Please send confirmation on or 13th, March. 2018.

 

Description  

PT-320-T01                       7EA

PT-10MLD-10                     2EA   

 

We look forward to hearing your good reply.

If you have any problem, please feel free to contact me by E-mail. 



With kind and best regards.



Example of a malicious email

click to enlarge


Attachments:
Name SAT180313.jar
MD5: 1E1CB0AE838CAD992444F9B3317025FB
Size 555.653 byte
 
Note:
Inside the email is the file "SAT180313.jar" which after execution acts like this:
  1.     Ends all processes present that relate to Antivirus or Various Antimalware.
  2.     Start the process: "%userprofile%AppData\Local\Temp\Retrive7343827147648436592.vbs".
  3.     Edit the registry using the following command: " regedit.exe /s %userprofile%\AppData\Local\Temp\OCQwXbPsua4899808332902748894.reg"
  4.     It exchanges data with the following Ipv6 address.:  localhost Porta: 7777.
  5.     It connects with the addresses listed at the end of the article for data exchange.
Name: SAT180313.jar
MD5: 1E1CB0AE838CAD992444F9B3317025FB

Size: 555.653 byte

IOC:

 
MD5:
1E1CB0AE838CAD992444F9B3317025FB
7F97F5F336944D427C03CC730C636B8F
C17B03D5A1F0DC6581344FD3D67D7BE1
0B7B52302C8C5DF59D960DD97E3ABDAF
URL:
localhost
vvrhhhnaijyj6s2m.onion.top
0:0:0:0:0:ffff:3e00:3a5e (62.0.58.5e.94) Porta: 443
0:0:0:0:0:ffff:5f8d:2bd9 (95.141.43.217) Porta: 7779

Back to top of page



Campaig "BANK TRANSFER FORM"

Malware family:: Trojan.Injector
VirIT:  Trojan.Win32.Injector.ATT

Description
:
Below you can see a sample email from the campaign "BANK TRANSFER FORM"

Subject: BANK TRANSFER FORM

Dear,

 

 

We were instructed earlier by your client to help him remit your

outstanding

payment,cause he will be on vacation from 03/03/2018 to 06/04/2018

 

Please reconfirm your bank details asap in the attached Bank Transfer

Form

before we proceed to the bank for payment.

 

 

 

Thanks & Best Regards.

Bernard Galvan

General Manager


Example of a malicious email


click to enlarge


Attachments:
Name: BANK TRANSFER FORM201873.ace
MD5: 7792A36210492332E13DFD97D90DE84F
Size: 286.572 byte
 
Note:
Inside the email is the file BANK TRANSFER FORM201873.ace which contains the executable file named with the same name "BANK TRANSFER FORM201873.exe ". once started it will connect to: "http://18panels[.]info/juki/fre[.]php" and will send packets containing various information of the infected pc. The malware is a member of the Spyware or Stealer family.

Name: BANK TRANSFER FORM201873.exe
MD5
: 1BA466FAE82C9EB34208BB5B97C62C10

Size: 487.424 byte

IOC:
 
MD5:
7792A36210492332E13DFD97D90DE84F
1BA466FAE82C9EB34208BB5B97C62C10
URL:
18panels[.]info/juki/fre.php
kbfvzoboss[.]bid/alien/fre.php
alphastand[.]trade/alien/fre.php
104.24.119.140





Campaign "Payment against your P.I 467301"

Malware family: Trojan Generic
VirIT: Trojan.Win32.Genus.AXU

Description
:
Below you can see a sample email from the campaign  "Payment against your P.I 467301"

Subject: Payment against your P.I 467301

i didn't receive your mail. I've called your Office by Phone but its not
going through and i don't have your mobile number.

Attach payment for this first Order Looking forward for your prompt reply.
 

Regards
Santhosh
Roys joseph I Sr. Sales Executive
Faisal Al Qatami Steel Trad. Co. (Al-Rai Branch)
P.O.Box: 23090 Safat, 13091 Kuwait
Tel: (965) 24735460 ; (965) 24735416
Mobile: (965) 97254467 ; Fax: (965) 24735461
E-Mail:    alrai@qatamisteel.net
Website: www.qatamisteel.com


Example of a malicious email


click to enlarge


Attachments:
Nome: PaymentCopy_pdf.zip
MD5: 2FC699A0EC5026B466F79DA8E80FC6D3
Size: 320.050 byte

  
Note:
Inside the attachment is the file "PaymentCopy_pdf.zip" containing "PaymentCopy_pdf.exe" that, after execution, infects the victim's pc.
Malware belongs to the family of "Injectors"

Nome: PaymentCopy_pdf.exe
MD5
: 3C8B7F1860724C2DE2F74F48597CF193

Dimensione: 483.328 byte


IOC:
 
MD5:
2FC699A0EC5026B466F79DA8E80FC6D3
3C8B7F1860724C2DE2F74F48597CF193

Campagna "Port agency appointment- MV Frontier Lodestar"

Famiglia malware: Trojan.Injector
VirIT: Trojan.Win32.Injector.AXU

Description:
Below you can see a sample email from the campaign "Port agency appointment- MV Frontier Lodestar"

Subject: Port agency appointment- MV Frontier Lodestar

Dear Sir,

We are pleased to appoint your good company as agents for our vessel MV
FRONTIER LODESTAR which is expected to arrive your PORT on 19 March,2018 at
around AM HRS. Vessel will be discharging 90k MAC FINE IRON ORE as per
attached BL's and Vessel particulars attached.

We will appreciate if you could kindly advise us your best PDA to enable us
confirm agency.

Do let us know if you require any further information/documents from our
end.

Thanks & Regards


Steven tao ??


Example of a malicious email


click to enlarge
 

Attachments:
Nome: scan_F4BC20F_pdf.gz
MD5: B223CD88F60851EA140B98573AF151AC
Size: 231.499 byte
 
Note:
Inside the attachment to the email is the file"scan_F4BC20F_pdf.exe" that, after execution, infects the victim's pc.
Malware belongs to the family of "Injectors".

Nome: scan_F4BC20F_pdf.exe
MD5: 9D93351244E942C709707C327FD3173E

Size: 487.424 byte

IOC:

 
MD5:
B223CD88F60851EA140B98573AF151AC
9D93351244E942C709707C327FD3173E








 

Campagna "TM Project Inquiry"

Malware family: Trojan Generic
VirIT: Trojan.Win32.Genus.AXU

Description:
Below you can see a sample email from the campaign "TM Project Inquiry"

Subject: TM Project Inquiry


Dear Sales Team,

We have in discussions the TM project with saudi Arabia Ministry of commerce and industry and according to the file attached, so
please send us the quotations accordingly and also some pictures will be helpful.

Thank you very much and best regards,

 

MOHAMMAD SAMIR KHAN

HEAD OF PROCUREMENT
EASTERN

Dammam Head Office:

Al-Manar Arabian Trading & Contracting Corp.

King Khalid Street, Near Dammam Central Hospital,

Opposite Carrefore Market

P.O. BOX 10257, Dammam-31433,

Dammam, Saudi Arabia

Tel:  +96613 – 851 – 7007

Fax: +96613 – 852 – 3881

Al-Hassa Branch

Hofouf

P.O. BOX 8531- Al-Hassa-S 1982, KSA
Tel: +96613 – 575 – 4805
Fax No: +96613 – 575 – 6648
CENTRAL

Riyadh Branch

King Abdul Aziz Street,Above Kawasaki Showroom,

P.O. BOX 19116, Riyadh-11435,

Riyadh, K.S.A

Tel: +96611 – 225 – 4519

Fax: +96611 – 225 – 4517
WESTERN

Jeddah Branch

Al-Sameer District Anqra street,

Al-Sameer Neighbourhood,

Jeddah, K.S.A

Tel: +96612 – 688–1772 / +96612 – 688 – 0331

Fax: +96612 – 688 – 0265

Tabuk Branch

Prince Abdul Aziz Street,

Al-Moroj District,

Against Al-Khozamy Palace,

Tabuk, K.S.A

Tel: +96614 – 432 – 0580
Prime Contact in the Event of Clarification Being Required:

Name: Saeed Mohd. Zahrani

Position: General Manager

Tel. No.: +96613 – 851 – 7007

FaxNo.: +96613 – 852 – 3881

Address: P.O. BOX 10257- Dammam -31433, K.S.A

e-Mail: info@manararabian.com




Example of a malicious email


click to enlarge


Attachments:
Nome: TM Project Inquiry.ace
MD5: 16D593EAC631DCE07341AA1C0CAB129B
Size: (243.818 byte)
 
Note:
Inside the attachment "TM Project Inquiry.ace" is the file "TM Project Inquiry.exe That through execution infects the victim's PC.
It acts like this:

  1. Establishes a connection with the following page : "http://151.80.74[.]167/umeh/umeh[.]exe" e scarica il file "umeh.exe".
  2. Create and execute the file: %Userprofile%\AppData\Local\Temp\[NUMERO CASUALE].bat
  3. Esegue "umeh.exe"

Nome: TM Project Inquiry.exe
MD5: 4FA44D2F6D8A6240A8583E0945052158

Size: 331.776 byte

IOC:
 
MD5:
16D593EAC631DCE07341AA1C0CAB129B
4FA44D2F6D8A6240A8583E0945052158
URL:
http://151.80.74[.]167/umeh/umeh.exe

 
 




 

Campagna "Request for the submission of Technical Bid"

Malware family: Trojan Generic
VirIT: Trojan.Win32.Genus.AXU

Description:
Below you can see a sample email from the campaign "Request for the submission of Technical Bid"

Subject: Request for the submission of Technical Bid


Gents,                           

 

Please find herewith attached specification and RFQ  for AD DUQM GSS PROJECT. (Client: OGC) You are requested kindly submit your technical quote for the same.

 

All participating vendors shall be requested to submit the attached data sheet / TOC / RED FORM / VDRL duly filled up and stamped. Vendors who are not submitting the filled up data sheet / TOC / RED FORM / VDRL will be disqualified.

 

1.       AS PER ATTACHED REF. SPEC.: M1-047/16-5-019-4 REV 0

Terms & Conditions:

 

·         Please submit your Technical quotation/bid by email.

 

·         Please do not alter RFQ quantities. In case you are offering quantities different than RFQ Qty., Please mention in a separate column as "Offered Quantity".

 

·         Delivery period is the essence of the contract and as the materials are required for AD DUQM GSS PROJECT. Please quote your best delivery schedule.

 

·         Deviations from OGC specification, if any, shall be brought out clearly at the time of quoting.

 

·         The quotation shall be for materials strictly in accordance with the specifications, Inspection, Certification & Quality documentation in line with the requirement of OGC &  applicable Data Sheet (Non MESC items).

 

·         The last date for the technical bid submission shall be 15.03.2018. No further extension will be entertained thereafter. Hence please rush with your technical quote at the earliest on or before the closing of bid submission date.

 

·         Please quote the Enquiry Reference no. mentioned above in all correspondence related to this enquiry without fail.

 

Regards,

Immagine rimossa dal mittente. Description: ATE Emblem 1
           

Ketul Gandhi

Al Turki Enterprises L. L. C.

Address : P. O. Box 2803, P. C. 112, Ruwi, Oman.

Office : +968 24621200 EXT: 1165 Fax :+968 24590212
GSM : +968 98049160 Short-code : 1084

Web :www.alturki.com

Our new ATE (PDO) office address:

1st floor, Al Nab'a House, Way no. - 277, Bldg No. - 1240, Al Atta Street, Ghala Industrial, Muscat


Example of a malicious email


click to enlarge


Attachments:
Name: Technical_Specifications pdf..ace / M1-04716-5-019-4 REV 0 pdf..ace
MD5: 14ABBD0DD304498533F6657D99994FB9 / FEF68AC1B76087150506581C52A209E3
Size: (243.356 byte)
 
Note:
The email comes with two identical ".ace" attachments containing the same executable file homymous to its container.
Inside the attachment examined "Technical_Specifications pdf..ace"  is a file "Technical_Specifications pdf.exe which after execution infects the victim's Pc and acts in this way:
  1. Establishes a connection with the following ip : "151.80.74[.]167/ogbu/ogbu[.]exe" and download the file "ogbu.exe".
  2. Creates and executes the file: %Userprofile%\AppData\Local\Temp\[NUMERO CASUALE].bat
  3. Executes "ogbu.exe"


Name: Technical_Specifications pdf.exe
MD5: 4C538FA36F7DEA5B2E201E88D6FEA37C

Size: 331.776 byte

IOC:
 
MD5:
14ABBD0DD304498533F6657D99994FB9
FEF68AC1B76087150506581C52A209E3
4C538FA36F7DEA5B2E201E88D6FEA37C
URL:
151.80.74.167/ogbu/ogbu[.]exe





 

Campaign "Contract prolongation" / "DHL SHIPMENT 03-07-18"

Malware family: Banker
VirIT: Trojan.Win32.Banker.ALW

Description:
Below you can see a sample email from the campaign "Contract prolongation / DHL SHIPMENT 03-07-18"

Subject: Contract prolongation / DHL SHIPMENT 03-07-18


Dear Sir,

Please find new contract for the year 2018 in the attachment.

The wording of the Contract is the same as it was before.

In case you have no amendments, please send it back duly signed&stamped.

Regards.

 

Güneş Koç
Kalite Güvence Sorumlusu / Quality Assurance Associate

Altera Tıbbi Malzeme San. ve Tic. A. Ş. - a Meditera Group Company
T: +90 232 513 501 10 / Ext: 225 | F: +90 232 5103 51 14
A: İbni Melek OSB Mah. TOSBİ Yol 4 Sok. No: 29 Tire Organize Sanayi Bölgesi, Tire / İzmir / Turkey
E: GUNES.KOC@meditera.com.tr
W: www.mediteragroup.com

Click here for legal notice / Yasal uyarı için tıklayınız…
######################SECONDA MAIL#######################################
Dear Customer,

Attached is the Original Shipping documents as assigned to deliver to you.

Notification for shipment event group "Pick Up" for 08 Mar 18.

 

Best Wishes,
Nina Lin
Gateway Import Customs Clearance
DHL Express (China) Corp.
---------------------------------------------
T: 03-398-15805 | F: 03-399-25860
E:nina.lin@dhl.com | 0800-769-888



Example of a malicious email


click to enlarge


Attachments:
Nome: ORIGINAL SHIPMENT DOCUMENT 03072018.zip / EMSTEC- Contract Draft 2018.zip
MD5: DA2B8843E9535ADCDEC1ECAC45CA0AC4 / D7C3A92617785DD30688BB5C7DB700D6
Size: (577.262 byte)
 
Note:
Inside the attachment "EMSTEC- Contract Draft 2018.zip"  is the file "EMSTEC- Contract Draft 2018.exe ". from the analysis performed we found that the malware is part of the Banker family. This type of malware tries to steal login credentials to sites such as Home Banking, E-mail, ftp and etc.


Nome: EMSTEC- Contract Draft 2018.exe
MD5
: DA2B8843E9535ADCDEC1ECAC45CA0AC4

Size: (1.302.528 byte)


IOC:
 
MD5:
DA2B8843E9535ADCDEC1ECAC45CA0AC4
D7C3A92617785DD30688BB5C7DB700D6

 
Back to top of page

How to identify a fake email

Experience and common sense are the first weapons to avoid these kinds of scams.
Careful reading of the email, in all its elements, is essential. Be wary of ZIP-formatted attachments and, if possible, DO NOT enable automatic macro execution. It is strongly discouraged to set up automatic execution of macros since simply opening Word and Excel files will see the immediate execution of macros without any prior alert.
In case you have been infected by a Banker, the advice from TG Soft's C.R.A.M. is to take appropriate security precautions even after the remediation of the system(s) involved such as changing the most commonly used passwords on the Web. In case the workstation involved is used for home-banking transactions, an assessment with your credit institution is also recommended..  

How to send suspicious emails for analysis as possible virus/malware/ransomware and/or Phishing attempts

Sending materials to TG Soft's Anti-Malware Research Center for analysis, which is always free of charge, can be done safely in two ways:
  1. Any e-mail that can be considered a suspect can be sent directly by the recipient's e-mail choosing as sending mode "Forward as Attachment" to the following mail lite@virit.com inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify"
  2. Save  the e-mail to be sent to the  TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
We give you these suggestions to help avoiding credential theft, viruses/malware or even worse next-generation Ransomware / Crypto-Malware.
 
Back to top of page

Integrate your PC / SERVER protection with Vir.IT eXplorer Lite

If you are not yet using Vir.IT eXplorer PRO, it is advisable to install, Vir.IT eXplorer Lite -FREE Edition-.to supplement the antivirus in use to increase the security of your computers, PC and SERVER indifferently,

Vir.IT eXplorer Lite
has the following special features:
  • freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
  • Interoperable with any other AntiVirus, AntiSpyware, AntiMalware or Internet Security already present on PCs and SERVERs. We recommend to use it as a supplement to the AntiVirus already in use as it does not conflict or slow down the system but allows to significantly increase security in terms of identification and remediation of infected files;
  • It identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Centro Ricerche Anti-Malware di TG Soft for further analysis  to update Vir.It eXplorer PRO;
  • Through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M.
  • Proceed to download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.

For Vir.IT eXplorer PRO users...

For Vir.IT eXplorer PRO owners, it is also possible to contact for free TG Soft's technical phone support.The details can be found on the support page CLIENTS.
 


C.R.A.M.

TG Soft's Anti-Malware Research Center
Back to top of page

 




Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: