Sponsored by..

Wednesday, 17 December 2014

"PL REMITTANCE DETAILS ref844127RH" malware spam

This fake remittance advice comes with a malicious Excel attachment.

From:    Briana
Date:    17 December 2014 at 08:42
Subject:    PL REMITTANCE DETAILS ref844127RH

The attached remittance details the payment of £664.89 made on 16-DEC-2014 by BACSE.

This email was generated using PL Payment Remittance of Integra Finance System.

Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.

The reference in the subject and the name of the Excel attachment differ from email to email, but are always consistent in the same message. There are two poorly detected malicious Excel files that I have seen [1] [2] containing two slightly different macros [1] [2] which then reach out to the following download locations:

http://23.226.229.112:8080/stat/lldv.php
http://38.96.175.139:8080/stat/lldv.php


The file from these locations is downloaded as test.exe and is then saved to %TEMP%\VMHKWKMKEUQ.exe. This has a VirusTotal detection rate of 1/55. The ThreatTrack report [pdf] shows it POSTing to the following IP:

194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)

This IP has been used in several recent attacks and I strongly recommend blocking it.

The Malwr report also shows it dropping a malicious DLL identified as Dridex.

The ThreatExpert report gives some different IPs being contacted:

80.237.255.196 (Denes Balazs / HostEurope, Germany)
85.25.20.107 (PlusServer, Germany)


The Ukrainian IP is definitely malicious, but if you wanted to establish maximum protection then I would recommend the following blocklist:

194.146.136.1
80.237.255.196
85.25.20.107
23.226.229.112
38.96.175.139

3 comments:

Jonathan Pitt said...

would this work on MACS?

Conrad Longmore said...

@Jonathan, the Macro might run on a Mac, but the file downloaded will only run on a Windows PC.

Jonathan Pitt said...

Thanks Conrad