Sponsored by..

Thursday, 15 January 2015

Malware spam: Payment request of 4176.94 (14 JAN 2015)

This spam comes with a malicious Word document attached:

from:    Alan Case
date:    15 January 2015 at 08:49
subject:    Payment request of 4176.94 (14 JAN 2015)

Dear Sirs,

Sub: Remitance of GBP 4176.94

This is with reference to the above, we request you to kindly remit GBP 4176.94 in favor of our bank account.
For more information on our bank details please refer to the attached document.

Thanking you,
Alan Case Remittance Manager
Other names and job titles seen include:
Alan Case
Melisa Howell
Brooke Barr
Nanette Lloyd
Holly Hartman
Doreen Mclean
Lonnie Boyer
Jessica Richardson
Celeste Singleton
Katie Hahn
Marilyn Barnett
Lois Powell
Donald Yang
Christina Grimes
Keenan Graham
Muriel Prince
Chance Salazar
Francine Nixon

Accounting Team
Senior Accounts
Senior Accounts Payable
Senior Accountant
General Manager
Remittance Manager

The payment amount, name and job title change in each spam, as does the name of the attachment (although this following the format ADV0000XX). There are three malicious Word documents that I have seen, each with a low detection rate at VirusTotal [1] [2] [3] which in turn contain a slightly different macro [1] [2] [3] which attempt to download another component from one of the following locations:

http://95.163.121.71:8080/mopsi/popsi.php
http://95.163.121.72:8080/mopsi/popsi.php

http://136.243.237.204:8080/mopsi/popsi.php

Note the two adjacent IPs of 95.163.121.71 and 95.163.121.72 which belong to Digital Networks CJSC in Russia (aka DINETHOSTING), an IP range of 95.163.64.0/18 that I would recommend you consider blocking.  136.243.237.204 is a Hetzner IP.

The macro downloads a file g08.exe from these locations which is then saved as %TEMP%\UGvdfg.exe. This has a VirusTotal detection rate of 4/57. That VT report also shows the malware attempting to POST to 194.146.136.1:8080 (PE "Filipets Igor Victorovych", Ukraine) which is a well-known bad IP.

The Malwr report is inconclusive, but this exectuable probably drops a Dridex DLL.

Recommended blocklist:
194.146.136.1
95.163.121.71
95.163.121.72
136.243.237.204

UPDATE: the following are Dridex C&C servers which you should also block:
80.237.255.196
85.25.20.107

1 comment:

Robin Norris said...

Also seen as an XLS (00690SO.xls). Sender was Karin Wilder