Sponsored by..

Tuesday 4 August 2015

Malware spam: "INVOICE HH / 114954" / "haywardsheath@hpsmerchant.co.uk"

This fake invoice is not from Heating & Plumbing Supplies but is instead a simple forgery with a malicious attachment:

From     [haywardsheath@hpsmerchant.co.uk]
Date     Tue, 04 Aug 2015 12:19:56 +0200
Subject     INVOICE HH / 114954

Please find attached INVOICE HH / 114954
--
Automated mail message produced by DbMail.
Registered to Heating & Plumbing Supplies, License MBS2009358.

Attached is a file R-20787.doc which contains a malicious macro like this one [pastebin] that comes in at least two different versions, downloading from the following URLs:

mszpdorog.hu/45g33/34t2d3.exe
cvaglobal.com/45g33/34t2d3.exe

The Hybrid Analysis reports [1] [2] give some insight as the the characteristics of the malicious document. The downloaded file has a VirusTotal detection rate of 3/55. Automated analysis [1] [2] shows traffic to the following IPs:

194.58.111.157 (Reg.RU, Russia)
62.210.214.106 (Iliad / Online S.A.S., France)
31.131.251.33 (Selectel, Russia)


The payload is the Dridex banking trojan.

Recommended blocklist:
194.58.111.157
62.210.214.106
31.131.251.33

MD5s:
8f3063ef8032799f71507b8f88f8a1c5
64011582b5dfa8fd79d823957a569b5f
3303a507e6584136c39c354085760987


No comments: