Sponsored by..

Wednesday 6 May 2015

Malware spam: "Email from Transport for London" / "noresponse@cclondon.com"

This spam does not come from Transport for London, but is instead a simple forgery with a malicious attachment.

From:    noresponse@cclondon.com
Date:    6 May 2015 at 12:44
Subject:    Email from Transport for London


Dear Customer,

Please open the attached file to view correspondence from Transport for
London.

If the attachment is in DOC format you may need Microsoft Word to
read or download this attachment.


Thank you for contacting Transport for London.



Business Operations
Customer Service Representative

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com

This email and any attachment are intended solely for the addressee, are strictly confidential and may be legally privileged. If you are not the intended recipient any reading, dissemination, copying or any other use or reliance is prohibited. If you have received this email in error please notify the sender immediately by email and then permanently delete the email.
______________________________________________________________________

So far I have seen four different versions of the malicious Word document AP0210780545.doc, all with low detection rates [1] [2] [3] [4] containing various macros [1] [2] [3] [4]. These attempt to download an executable from one of the following locations:

http://jkw-sc.com/111/46.exe
http://aimclickbang.com/111/46.exe
http://www.haunersdorf.de/111/46.exe
http://volpefurniture.com/111/46.exe


This file is saved as %TEMP%\wiley5.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools [1] [2] [3] show attempted network traffic to:


62.152.36.90 (Filanco Ltd, Russia)
89.28.83.228 (StarNet, Moldova)
185.12.95.191 (RuWeb CJSC, Russia)
185.15.185.201 (Colobridge, Germany)


This Malwr report shows that it drops a Dridex DLL with a detection rate of 4/56.

Recommended blocklist:
62.152.36.90
89.28.83.228
185.12.95.191
185.15.185.201


MD5s:
412ce577521a560459cd711f5966caf4
997bafa825426a3456625983878cb5df
bab231ddf87a24dd81638483f209d238
a49a337f1189dd139499a102b635c918
079f0c588769f6961d888614cf140812
03f9a963fefffc4b97b880a8c4ad208b

No comments: