Sponsored by..

Tuesday, 11 November 2014

nazarethcare.com / Accounts Finchley "Bank Payments" has a malicious attachment

This fake invoice spam pretending to be from a care home in the UK comes with a malicious attachment.

From:     Accounts Finchley [accounts.finchley@nazarethcare.com]
Date:     11 November 2014 10:34
Subject:     Bank Payments

Good Afternoon,

Paying in sheet attached

Regards

Sandra Whitmore
Care Home Administrator
Nazareth House
162 East End Road
East Finchley
London
N2 ORU
Tel:02088831104
Fax:02084443691
Nazareth Care Charitable Trust- Registered Office – Larmenier Centre, 162 East End Road, London N2 ORU
Registered Charity – England & Wales – 1113666, Scotland – SCO42374
Registered Company registered in England & Wales – Company Number 05518564

The contents of this message are for the attention and use of the named addressee(s) only.  It, and any files transmitted with it, may be legally privileged or prohibited from disclosure or unauthorised use.  If you are not an intended recipient or addressee, any form of reproduction, dissemination, copying, disclosure, modification, distribution or publication is prohibited and may be unlawful and the sender will accept no liability for any action taken or omitted to be taken in reliance upon this message or its attachments.
Whilst all efforts are made to safeguard inbound and outbound e-mails, no guarantee can be given that attachments are virus-free or compatible with your systems, and we do not accept any liability in respect of viruses or computer problems experienced.
Any views expressed in this message are those of the individual sender, and do not necessarily represent those of the Sisters of Nazareth.
The domain nazarethcare.com forwards to the Sisters of Nazereth. None of these organisations is actually sending the spam, their systems have not been compromised in any way. The "from" field in an email is trivially easy to fake, as it looks like the body text may have been stolen from a compromised mailbox.

Attached is a file 2014_11_07_14_09_19.doc which comes in two versions both with low VirusTotal detection rates [1] [2]. If macros are enabled then one of two macros [1] [2] [pastebin] which then downloads a file from one of the following locations:

http://www.grafichepilia.it/js/bin.exe
http://dhanophan.co.th/js/bin.exe


This file gets copied to %TEMP%\HZLAFFLTDDO.exe and it has a VirusTotal detection rate of 3/53. The Malwr report shows it phoning home to:

http://84.40.9.34/kPm/PQ0Zs8L.Wtg%26/thtqJJSo%2B/LsB6v/

It also drops a DLL identified by VirusTotal as Dridex.

10 comments:

captaintee said...

How do I get rid of it. Itso happens I was awaiting payment from a company in the same area so didn't spot the fake.
Tony

Conrad Longmore said...

@captaintee: you might not be infected if you had macros disabled. The first thing to do is determine if you *are* infected, and it will take virus scanners a day or so to catch up.

A quick check is to go into your TEMP folder e.g. C:\Users\Your_name\AppData\Local\Temp on Windows 7/8 and look for any EXE files with random names with a datestamp of today.

Removing that won't fix the malware, but if you can't see it then you are probably not infected.

C Ford said...

will it affect an android phone?

Stephen Secombe said...

Just had one emailed to me at 19:35. Very convincing, these things are getting harder to spot.

Conrad Longmore said...

@C Ford: no, this will only impact Windows computers running Microsoft Word in an insecure configuration (i.e. with macros enabled). I have seen other malware that will ONLY infect Android phones and not Windows PCs, so caution is still advised.

Stathi Marneros said...

just got one and like an idiot I opened the word doc.
any advice on how to find my TEMP folder?
thx

Penny Lake said...

I had one of these today too, but because I wasn't expecting it I googled the sender first and had my suspicions confirmed. Thanks.

Jane Kerrigan said...

Thank you for your post. I received 2 emails and didn't open the attachments and then Googled for spam to find out if it were a hoax.

Thanks a lot.

Jane Kerrigan said...
This comment has been removed by the author.
Gina Risby said...

Thanks so much. Your blog came up right away when I Googled so I didn't open the attachment.