Sponsored by..

Monday 18 May 2015

Malware spam: "Your reasoning stands in need" / "Have a need in your thought" / "In want of your concern"

This fake financial spam run is similar to this one last week, and comes with a malicious attachment.

From:    Aida Curry
Date:    18 May 2015 at 11:40
Subject:    Your reasoning stands in need

Good Afternoon,
We have attained a reimbursement from you for the draft of £ 2909. Please would you secure me with a remittance, in order for me to reconcile the statement.
I will be sending you a pronouncing of outstanding invoices tomorrow, the entire quantum of outstanding is £ 5893 less the 1 draft received making a whole outstanding of £ 2984. We would very much appreciate settlement of this.
As previously mentioned we reversed to a limited company on 1st December 2014. We are desire to conclude all the old checks down, for both tax and year end reasons. We would be very grateful in your assistance in eliciting the outstanding.
If you need any application of bills please do not hesitate to contact us
Regards,
Aida Curry

-------------------

From:    Cornelius Douglas
Date:    18 May 2015 at 11:39
Subject:    Your reasoning stands in need

Good morning
Please find attached   a remittance advice, relating to a outpayment made to you.
Many thanks
Regards,
Cornelius Douglas
Seniour Finance Assistant

-------------------

From:    Jewell Shepard
Date:    18 May 2015 at 11:37
Subject:    Have a need in your thought

Please, see the attached similar of the remittance.
Please, can you remit a revised pronouncing so we can settle any outstanding balances.
Kind Regards,
Jewell Shepard
Subjects spotted so far are:
In want of your concern
Your reasoning stands in need
Have a need in your thought
Vital announcement 561335
Your advertence stands in need
Grand advert 482209
Important notice 540897
In want of your regarding
In want of your concern
Your reasoning stands in need
Wish to know your thought
Your cognizance is in great necessity
Need your consideration

There seem to be several different attachments, but for the sake of simplicity I have looked at just one. The Hybrid Analysis report shows this this is a MIME attachment that downloads and executes a script from pastebin[.]com/download.php?i=C5KGsRX3 which in turn downloads a malicious executable from  193.26.217[.]220:80/bt/get3.php (Servachok LTD, Russia) which is saved as crypted.120.exe.

This executable has a VirusTotal detection rate of 4/57. The Malwr and Hybrid Analysis reports indicates traffic to 5.63.154.228 (Reg.Ru, Russia) and also shows a dropped Dridex DLL with a detection rate of 3/57.

Recommended blocklist:
5.63.154.228
193.26.217.220

MD5s (executable):
af15ba558c07f8036612692122992aad
0074fdc06f8b1da04c71feb249e546dc

No comments: