Sponsored by..

Monday 15 December 2014

Malware spam: IFS Applications / vitacress.co.uk / DOC-file for report is ready

This fake payment advice spam is not from Vitacress but is a forgery with a malicious Word document attached.
From:    IFS Applications [Do_Not_Reply@vitacress.co.uk]
Date:    15 December 2014 at 07:49
Subject:    DOC-file for report is ready

The DOC-file for report Payment Advice is ready and is attached in this mail.
Attached is a file Payment Advice_593016.doc which is actually one of two different documents with zero detections at VirusTotal [1] [2] and contain one of two malicious macros [1] [2] [pastebin] that download a malware binary from one of the following locations:

http://gv-roth.de/js/bin.exe
http://notaxcig.com/js/bin.exe


This file is saved as %TEMP%\DYIATHUQLCW.exe  and is currently has a VirusTotal detection rate of just 1/52.

The ThreatExpert report and Malwr report shows attempted connections to the following IPs which have been used in many recent attacks and should be blocked if you can:

203.172.141.250 (Ministry of Education, Thailand)
74.208.11.204 (1&1, US)

The malware almost definitely drops the Dridex trojan onto the target system, but I have not been able to get a sample of this yet.

UPDATE 2014-12-16

A second wave of spam is in progress with a pair of new malicious Word documents with low detection rates [1] [2] containing new macros [1] [2] that download a malicious file from the following locations:

http://finepack.co.in/js/bin.exe
http://loneleaf.ca/js/bin.exe


This file is saved as %TEMP%\TQWTGECOROR.exe and it currently has a detection rate of just 1/54. The Malwr report shows it posting to 74.208.11.204 yet again, although it does not show the dropped Dridex binary that I would expect to see.


No comments: