Sponsored by..

Thursday 8 January 2015

Malware spam "INVOICE ADVISE 08/01/2015" and "NOVEMBER INVOICE" from multiple fake senders

These two spam runs have different email messages but the same payload. In both cases, there are multiple fake senders

Sample 1 - INVOICE ADVISE 08/01/2015

From:    Mia Holmes
Date:    8 January 2015 at 09:11
Subject:    INVOICE ADVISE 08/01/2015

Good morning

Happy New Year

Please could you advise on the  November GBP invoice in the attachment for me?

Many thanks

Kind Regards
Mia Holmes
Accountant
SULA IRON & GOLD PLC

Sample 2 - NOVEMBER INVOICE

From:    Reed Barrera
Date:    8 January 2015 at 09:16
Subject:    NOVEMBER INVOICE

Good morning

Happy New Year

Please could you advise on the  November GBP invoice in the attachment for me?

Many thanks

Kind Regards
Reed Barrera
Controller
ASSETCO PLC
Other sender names include:
Marlin Rodriquez
Accountant
CLONTARF ENERGY PLC

Olive Pearson
Senior Accountant
ABERDEEN UK TRACKER TRUST PLC

Andrew Salas
Credit Management
AMTEK AUTO
The attachment is in a Word document (in one sample it was a Word document saved as an XLS file). Example filenames include:

RBAC_9971IV.xls
INV_6495NU.doc
2895SC.doc

There are four different malicious files that I have seen so far, all with low detection rates [1] [2] [3] [4] which contain in turn one of these macros [1] [2] [3] [4] leading to a download from one of the following locations:

http://188.241.116.63:8080/mops/pops.php
http://108.59.252.116:8080/mops/pops.php
http://178.77.79.224:8080/mops/pops.php
http://192.227.167.32:8080/mops/pops.php

This file is downloaded as g08.exe which is then copied to %TEMP%\1V2MUY2XWYSFXQ.exe. This file has a detection rate of 3/56.

The VT report shows a POST to 194.146.136.1:8080 (PE "Filipets Igor Victorovych", Ukraine) which is a well-known malware server which I recommend that you block. This IP is confirmed in the Malwr report which also shows a dropped DLL which is the same as found in this spam run and has a detection rate of just 2/56.

For researchers only, a copy of the files can be found here. Password = infected

No comments: