From: Trudy TrevinoOther example fake senders are:
Date: 4 March 2015 at 09:29
Subject: Remittance advice [Rem_0559ZX.xml]
You can find remittance advice [Rem_0559ZX.xml] in the attachment
DELTEX MEDICAL GROUP
JOHNSON SERVICE GROUP PLC
BRISTOL & WEST PLC
JPMORGAN US SMALLER CO INV TST PLC
The name of the XML file in the attachment (and also the body text and subject) varies but is always in the format Rem_1234AB.xml. So far I have seen three different versions (clicking the MD5 leads to a Pastebin with the XML attachment):
- MD5 B2E594BDE90A1C998F3A7D892BAC925B - VT 0/57
- MD5 77739AB6C20E9DFBEFFA3E2E6960E156 - VT 0/57
- MD5 877E6EC17F307C319E3084D1EDFC40A4 - VT 0/57
There's probably little reason to accept XML documents by email. Blocking these at your email gateway might be a good idea.
An analysis from another party indicates the following download locations:
The following are the servers the malware phones home to, I recommend blocking them:
More analysis to follow..