Sponsored by..

Tuesday, 23 June 2015

Malware spam: "Hope this e-mail finds You well" / "Stacey Grimly"

This spam comes with a malicious attachment:

Date:    23 June 2015 at 14:14
Subject:    Hope this e-mail finds You well

Good day!

Hope this e-mail finds You well.

Please be informed that we received the documents regarding the agreement No. 7232-003 dated from 3rd day of June.
However there are some forms missing.
We made the list of missing documents for Your ease (the list is attached below).
Please kindly check whether these forms are kept in your records.
In case you have any questions here are our contact details: 838-72-99. Feel free to give a call at any time.

Stacey Grimly,
Project Manager
Some of the details vary in each email, but the overall format is the same. So far I have seen two different mis-named attachments:

check.zip size=57747.zipsize=57747
check.zip size=57717.zipsize=57717

The file sizes actually match the one listed in the file's name. Because the attachment is not properly named, some ZIP file handlers may fail to deal with them. Equally, the technique may be designed to get the spam past mail filters.

Each archive contains a file info_bank_pdf.exe with different checksums and a detection rate of 3/52 or 3/54. Automated analysis tools [1] [2] [3] indicate traffic to the following locations: (Orion Telekom, Serbia) (Suddenlink Communications, US) (Orion Telekom, Serbia) (Charter Communications, US)

These two Malwr reports [1] [2] show dropped files named yaxkodila.exe (two versions, VT 5/54 and 5/55) plus a file jieduk.exe (VT 8/54). Incidentally, the VirusTotal analysis also throws up another IP address of: (Time Warner Cable, US)

The malware is a common combination of the Upatre downloader and Dyre banking trojan, targeting Windows systems.

Recommended blocklist:


No comments: