Sponsored by..

Friday, 13 February 2015

Malware spam: "Remittance XX12345678"

This spam comes from randomly-named companies, with slightly different body text and different subject in each case. Here is an example:

From:    Gale Barlow
Date:    13 February 2015 at 12:30
Subject:    Remittance IN56583285

Dear Sir/Madam,

I hope you are OK. I am writing you to let you know that total amount specified in the contract has been paid into your bank account on the 12th of February at 15:25 via BACS payment system and should reach the destination (beneficiary's) account within 3 working days.
To see full payment details please refer to the remittance advice note attached to the letter.

Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.

Gale Barlow
Accounts Manager

Boyd Huffman
Accounts Payable
There is a malicious Word document attached to the email, so far I have only seen one version of this but usually there are two or more. The document itself has a low detection rate of 1/57 and it contains a malicious macrowhich downloads a file from the following location:

This is saved as %TEMP%\dsHHH.exe and has a detection rate of 7/57, identifed as a Dridex downloader. Automated analysis tools [1] [2] [3] [4] show a variety of activities, including communications with the following  IPs: (Pirix, Russia) (Private Layer, Switzerland) (Universita degli Studi dell'Insubria, Italy) (MWTV, Latvia) (iomart, UK) (Frantech Solutions, US)
The malware then drops a Dridex DLL with a detection rate of 3/52  and mysteriously drops another Dridex downloader with a detection rate of 6/57. The Malwr report for that indicates there is some attempting traffic to nonexistent domains.

Recommended blocklist:


Will Holt said...

Thank you so much. We were being hit by mails every 30 seconds. Blocking them IP's put a stop to that

Robin Norris said...

Macros deobfuscated thus far have gone here: