Sponsored by..

Tuesday 20 January 2015

Malware spam: "mereway kitchens [sales.north@mereway.co.uk]" / "Delivery Confirmation"

This rather terse spam comes with a malicious attachment. It is NOT from Mereway Kitchens and their systems have not been hacked or compromised in any way.


From:    mereway kitchens [sales.north@mereway.co.uk]
Date:    20 January 2015 at 08:24
Subject:    Delivery Confirmation

Delivery Confirmation
Attached is a file K-DELC-28279.doc which comes in two different versions, both of which are poorly detected by AV vendors [1] [2] and which contain one of two malicious macros [1] [2] [pastebin]. These attempt to download a file from one of the following locations:

http://solutronixfze.com/js/bin.exe
http://ems-medienservice.info/js/bin.exe

This payload is identical to the one found in this spam run which preceded it.

UPDATE 2015-01-23

A second spam run is underway, and although the email and attachment name are the same, the malicious macro itself is rather different. Both Word documents have zero detection rates [1] [2] and contain malicious macros [1] [2] that download another component from:

http://webcredit.be/js/bin.exe
http://www.gmilitaru.home.ro/js/bin.exe

This binary has a VirusTotal detection rate of 3/57. It probably drops the Dridex banking trojan, but analysis is inconclusive.

No comments: