Companies house complaint is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer.
Updated 17 February 2014: we have been seeing loads of these emails today but no attachments or links to download anything. We can only assume that the bot has gone wrong and they will resume normal service later when they resend all the emails and attach the malware this time.
19 February 2014: the updated version we predicted has surfaced but it doesn’t have any attachments. Instead the links go to infected, hacked, compromised sites that are under the control of the Blackhole or similar method exploit kits, malware spewing developers. Just visiting these sites when you have vulnerable versions of Java, Flash, or other common software on your computer is enough to get you infected. The emails look very realistic and appear to come from firstname.lastname@example.org.
24 February 2014: another big run of these exploit kit versions today, they look exactly the same as the ones dated 19 Feb. but obviously different hijacked, compromised sites.
28 February 2014: yet another run of these Companies House complaint themed blackhole exploits
12 March 2014: back to the zip attachment again dropping a Upatre zbot dropper with a .scr extension to the malware
4 August 2014: Latest version of this reads like this and the attachment has gone back to the usual fake pdf
The submission number is: 4899190
For more details please check attached file.
Please quote this number in any communications with Companies House
All Web Filed documents are available to view / download for 10 days after their original submission. However it is not possible to view copies of accounts that were downloaded as templates.
Companies House Executive Agency may use information it holds to prevent and detect fraud. We may also share such information, for the same purpose, with other Organizations that handle public funds
If you have any queries please contact the Companies House Contact Centre on +44 (0)303 1234 500 or email email@example.comK
Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.
4 Abbey Orchard Street
Tel +44 (0)303 1234 500
subjects seen are: The numbers or case id’s always vary from email to email
- Incident 8352117 – Companies House
- Companies house complaint – FW: Case G8UGFCUO
Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.
30 January 2014: updated malware to use a .scr ( screensaver) extension on a fake PDF to try to get you to install it
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
Attachment zip name: case_G8UGFCUO.zip (9kb)
Extracted file name: case_09122013.exe
Current Virus total detections: 0/47 https://www.virustotal.com/en/file/13d8cc4ee9adc40d9160864c0a4f0a47faab007ecee9f2de301e1145c2c8f951/analysis/
MALWR Auto Analysis: https://malwr.com/analysis/MzM3NWYzNzJmMWMzNDcxNjhjZGE3ODg4MjExMmM1MmU/
Version 20 January 2014: Case_4983889.zip extracts to Case_20012014001.exe Current Virus total detections: 0/49 Today has changed from a fake word doc to a fake pdf
Version 23 January 2014: Case_2H38FUGU.zip extracts to Case_001231401.exe Current Virus total detections: 24/50
Version 31 January 2014: Case_1131931.zip extracts to Case_31012014.scr Current Virus total detections: 3/49
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Word.doc file or PDF instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected. They a re also using .scr as the final extension instead of .exe
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.