Sponsored by..

Tuesday, 12 May 2015

Malware spam: "Copy of your 123-reg invoice ( 123-015309323 )" / "no-reply@123-reg.co.uk"

This fake invoice is not from 123-reg, but is instead a simple forgery with a malicious attachment:

From:    no-reply@123-reg.co.uk
Date:    12 May 2015 at 10:17
Subject:    Copy of your 123-reg invoice ( 123-015309323 )


Thank you for your order.

Please find attached to this email a receipt for this payment.

Help and support

If you are still stuck why not contact our support team? Simply visit our 123-reg Support Centre and click on the Ask a Question tab.

Thank you for choosing 123-reg.

The 123-reg team.

About us | Privacy policy
© Copyright 123-reg - Part of Webfusion Ltd

Webfusion Ltd is a company registered in England and Wales with company number 05306504. Our VAT number is 927 1292 22. The address of our registered office is: 5 Roundwood Avenue, Stockley Park, Uxbridge, Middlesex, UB11 1FF.
Attached is a Word document 123-reg-invoice.doc which contains a malicious macro [pastebin] and has a detection rate of 5/57. There may be several different versions of this macro, but the sample I saw downloaded a file from:


..which is saved as %TEMP%\ihmail4.1.0.exe and has a VirusTotal detection rate of 5/56. Automated analysis tools [1] [2] [3] show it phoning home to the following IPs: (Internet-Hosting Ltd, Russia) (Host Telecom Net, Russia) (StarNet SRL, Moldova) (Colobridge gmbh, Germany)

According to this Malwr report it also drops a Dridex DLL with a detection rate of 3/57.

Recommended blocklist:


No comments: