Sponsored by..

Tuesday, 25 August 2015

Malware spam: "Invoice 26949 from I - SPI Ltd" / "sales@ispitrade.com"

My spam traps did not collect the body text from this message, so all I have is headers. However, this fake financial email is not from i-Spi Ltd and is instead a simple forgery with a malicious attachment:
From     [sales@ispitrade.com]
Date     Tue, 25 Aug 2015 20:37:09 +0800
Subject     Invoice 26949 from I - SPI Ltd
Attached is a file Inv_26949_from_I__SPI_Ltd_7888.doc which actually comes in several different versions [1] [2] [3] [4] [5] [6] which contains a malicious macro like this one [pastebin] that downloads an executable from one of the following locations:

http://landrevie.g.free.fr/45gf3/7uf3ref.exe
http://e-projekt.ns1.internetdsl.pl/45gf3/7uf3ref.exe
http://nathalieetalain.free.fr/45gf3/7uf3ref.exe
http://claudio.locatelli.free.fr/45gf3/7uf3ref.exe
http://spitlame.free.fr/45gf3/7uf3ref.exe
http://nathalieetalain.free.fr/45gf3/7uf3ref.exe


This Hybrid Analysis report shows network traffic to:

91.239.232.9 (Hostpro Ltd, Ukraine)

This is the same bad IP as found in this earlier spam run, I recommend that you block it. The payload here is almost definitely the Dridex banking trojan.

1 comment:

Stephen Wales said...

Conrad, thanks very much for this update on your site, it has helped alleviate some of the customer care issues we have faced over the last few days, we have had over 17000 emails (thats just the bouncebacks) and 250 phone calls since this started.


Stephen Wales
Twisted Pixels on behalf of iSpi Trade