Sponsored by..

Wednesday 25 March 2015

Malware spam: "James Dudley [James.Dudley@hitec.co.uk]" / "Payment 1142"

This spam email is yet another forgery pretending to be from a wholly legitimate company. It is one of a series of emails spoofing Cambridgeshire firms, and it comes with a malicious attachment.

From:    James Dudley [James.Dudley@hitec.co.uk]
Date:    25 March 2015 at 09:38
Subject:    Payment 1142

Payment sheet attached.

James

T    01353 624023
F    01353 624043

Hitec Ltd
23 Regal Drive
Soham
Ely
Cambs
CB7 5BE


This message has been scanned for viruses and malicious content by Green Duck SpamLab 
I have only seen a single sample of this, with an attachment Payment 1142.doc which has a VirusTotal detection rate of 5/57. It contains this malicious macro [pastebin] which attempts to download a component from:

http://madasi.homepage.t-online.de/dbcfg/32.exe

..which is then saved as %TEMP%\sollken1.2.8.exe, this has a detection rate of 12/57. Automated analysis of this binary is pending, but is so far inconclusive.

Incidentally, the macro contains this snippet:

' (File name: AddNewSheet.bas)
' Author: SENOO, Ken
' LICENSE: CC0
' (Last update: 2015-03-10T18:38+09:00)


All that means is that this Ken Senoo created and freely licensed a Visual Basic module that the bad guys are using. It does not mean that they have anything at all to do with this malware attack.

MD5s:
8f79a24970d9e7063ffcedc9a8d23429
02cfa3e6fdb4301528e5152de76b2abf

UPDATE: this interesting new tool from Payload Security gives some insight as to what the malware does. In particular, it phones home to:

50.31.1.21 (Steadfast Networks, US)
87.236.215.103 (OneGbits, Lithuania)
2.6.14.246 (Orange S.A., France)
14.96.207.127 (Tata Indicom, India)
95.163.121.178 (Digital Networks aka DINETHOSTING, Russia)


Recommended blocklist:
50.31.1.21
87.236.215.103
2.6.14.246
14.96.207.127
95.163.121.0/24

1 comment:

Fingers3 said...

I have received 2 of these spam e-mails from "James Dudley" sent at 10:24 and 11:25 today, 25 March, 2015.