Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Fake Booking.com virus spam email claims to have an electronic invoice for commissions attached.

Attached malicious .doc file has macro to download malware.


Subject: [1138593] Booking.com Invoice 01/03/2015 - 31/03/2015

Dear customer,

Herewith you receive the electronic invoice regarding the commissions for the period from 01/03/2015 to 31/03/2015.

If you have any questions, please contact our Credit Control Department at telephone number +44 (0)208 612 8210 (e-mail: ).

Thank you for working with Booking.com.

invoice-1501383360.doc (96)

Subject: Booking.com Invoice 1/1/15 - 1/31/15   

 Dear representative, 

Herewith you receive the electronic invoice regarding the commissions for the period from 1/1/15 to 1/31/15.

If you have any questions, please contact our Credit Control Department at telephone number 1 877 266 5818 (e-mail: creditcontrol.us @booking.com).

Thank you for working with Booking.com.

invoice-1501632892.doc (50)

Header Examples:

27 April 2015 

Spoofs booking.com in both From headers and Envelope From headers (MAIL FROM connection string).

Received: from customer-PUE-40-147.megared.net.mx [189.193.40.147]
X-Envelope-From: invoice @booking.com
From: invoice @booking.com
Subject: [1138593] Booking.com Invoice 01/03/2015 - 31/03/2015

Received: from 88.255.236.180.dynamic.ttnet.com.tr [88.255.236.180]
X-Envelope-From: invoice @booking.com
From: invoice @booking.com
Subject: [1138593] Booking.com Invoice 01/03/2015 - 31/03/2015

Received: from van1598647.lnk.telstra.net [101.187.135.123]
X-Envelope-From: invoice @booking.com
From: invoice @booking.com
Subject: [1138593] Booking.com Invoice 01/03/2015 - 31/03/2015

3 February 2015

Spoofs booking.com in From headers and some random junk in Envelope (MAIL FROM) headers.

Received: from my.firewall [88.34.189.152]
X-Envelope-From: trick3 @reque-gallego.com
From: "Booking.com" <invoice @booking.com>
Subject: Booking.com Invoice 1/1/15 - 1/31/15

Received: from net-93-67-194-111.cust.vodafonedsl.it [93.67.194.111]
X-Envelope-From: alleviated7209 @reveo.com
From: "Booking.com" <invoice @booking.com>
Subject: Booking.com Invoice 1/1/15 - 1/31/15

Malware

3 February 2015 

Attachment : malicious .doc file with macro : invoice-1501383360.doc

VirusTotal report 

GData 	Macro.Trojan-Downloader.Agent.EB@gen 
McAfee W97M/Downloader.ago
Panda W97M/Downloader

There are several versions of the .doc in this series, which would like to download an executable from places like:

tom-lebaric.com/62/927.exe
voipconcerns.com/62/927.exe

Malwr.com report | hybrid-analysis.com report

Downloaded executable : 927.exe ( dridex botnet 220 )

VirusTotal report 

ByteHero 	Trojan.Malware.Obscu.Gen.002 
Kaspersky UDS:DangerousObject.Multi.Generic
Sophos Mal/FakeAV-CX

Malwr.com report 

Performs some HTTP requests
The binary likely contains encrypted or compressed data.
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Installs itself for autorun at Windows startup

hybrid-analysis.com report

Also:

<botnet>220</botnet>
<version>131182</version>

stage 1, download DLL:
185.12.95.191:4443
149.154.64.70:4443
62.152.36.90:1443
89.28.83.228:8443

stage 2 c2 servers:
94.23.171.198:80
88.192.77.168:8000
14.100.40.58:443
87.236.215.151:80
5.100.249.215:443
31.149.246.121:8000
149.132.68.139:443

<redirect name="1st" vnc="0" socks="0" uri="http://80.86.93.225:8080/userexperiences" ....
<redirect name="2nd" vnc="1" socks="1" uri="http://80.86.93.225:8080/tickingservice" ...
<redirect name="vbv1" vnc="0" socks="0" postfwd="1" uri="http://37.59.96.74:8080/logs/dtukvbv/js.php" ...
<redirect name="vbv2" vnc="0" socks="0" postfwd="1" uri="http://37.59.96.74:8080/logs/dtukvbv/in.php"...

 

3 February 2015 

Attachment : malicious .doc file with macro : invoice-1501632892.doc

VirusTotal report 

CAT-QuickHeal 	O97M.Dropper.AX
Kaspersky Trojan-Downloader.MSWord.Agent.el
McAfee W97M/Downloader.acl

The .doc file wants you to enable macros :

Picture of .doc file telling you to enable macros.

An example of the macro can be found at this pastebin. It wants to download an executable from places like:

146.185.213.35/upd/install.exe

Downloaded executable : install.exe ( tordal / hancitor )

VirusTotal report 

0 score on VT

Developer metadata
Copyright Copyright (C) 2004-2015 VitSoft ®
Publisher VITSOFT ®
Product Vit Schedule?
File version 2.03.0.1
Description Vit Registry Fix: Schedule - for Windows XP/VISTA/7/8/8.1/10

Malwr.com report 

Performs some HTTP requests
Connects to Tor Hidden Services through Tor2Web
Installs itself for autorun at Windows startup

api.ipify.org 54.225.211.214
ho7rcj6wucosa5bu.tor2web.org 38.229.70.4
ho7rcj6wucosa5bu.tor2web.ru 166.78.144.80

So what is next?

This malware joins the infected computer to a network, called a botnet. The bot will be assigned work to do and sent other malware with which to do it. Spamming executables are popular choices.

Matthew Mesa also documented tordal/hancitor bots being sent Vawtrak / Gozi.

 

 If this was at least a little helpful, how about a +1, Like, or Tweet?