Sponsored by..

Wednesday 7 January 2015

"Remittance Advice" malware spam from multiple spoofed companies

This fake financial spam claims to be from one of several legitimate companies. They are not sending the spam, not have their systems been compromised. Instead, this has a malicious Word document attached.

From:    Dominique Valenzuela
Date:    7 January 2015 at 11:38
Subject:    Remittance Advice for 3996.63 GBP

Please find attached a remittance advice for recent BACS payment of 3996.63 GBP.

Any queries please contact us.

Dominique Valenzuela
Senior Accounts Payable Specialist
HERMES PACIFIC INVESTMENTS PLC

These different fake senders have been spotted so far:

Reyna Alvarado
Senior Accounts Payable Specialist
AVATION PLC

Dominique Valenzuela
Senior Accounts Payable Specialist
HERMES PACIFIC INVESTMENTS PLC

Alfreda Carney
Senior Accounts Payable Specialist
RED ROCK RESOURCES

Dave Hancock
Senior Accounts Payable Specialist
HANSA TRUST

Kendra Cervantes
Senior Accounts Payable Specialist
TRINITY EXPLORATION & PRODUCTION

The amount of the so-called payment, the name of the sender and the attachment name changes in each case. So far I have spotted three different Word documents, all with low detection rates at VirusTotal [1] [2] [3] which contains one of three different macros [1] [2] [3] [pastebin] which downloads a second stage from one of the following locations:

http://193.136.19.160:8080/mans/pops.php
http://94.23.160.102:8080/mans/pops.php
http://87.106.165.232:8080/mans/pops.php


This file is downloaded as test.exe and is then moved to %TEMP%\1V2MUY2XWYSFXQ.exe. This has a VirusTotal detection rate of 4/56 and that report also says that it POSTs data to 194.146.136.1:8080 (PE "Filipets Igor Victorovych", Ukraine).

For research purposes, a copy of these files can be found here [password=infected]



No comments: