Sponsored by..

Tuesday, 4 August 2015

Malware spam: "Need your attention"

A variety of malicious spam messages are in circulation, each with "Need your attention" in the subject. Each message has a different sender, attachment name and reference number in the subject along with some other variations. Here is an example:

From:    Hilda Buckner
Date:    4 August 2015 at 13:29
Subject:    Need your attention: OO-6212/863282


Greetings
Hope you are well

Please find attached the statement that matches back to your invoices.

Can you please sign and return.
In that case, the attachment is victimname_JM_1646.doc (other messages have differently-named attachments, but all with the victim's name in them) which in this case contains this malicious macro [pastebin].

What that macro does (other ones may be slightly different) is download a VBS script from pastebin.com/download.php?i=0rYd5TK3 [link here, safe to click] which is then saved as %TEMP%\nnjBHccs.vbs.

That VBS then downloads a file from 5.196.241.204/bt/bt/ched.php which is then saved as %TEMP%\JHVHsd.exe which currently has a detection rate of zero (MD5 = 00dca835bb93708797a053a3b540db16).

The Malwr report indicates that this phones home to 80.247.233.18 (NFrance Conseil, France). The payload is probably the Dridex banking trojan.

Note that the malware also sends apparantly non-malicious traffic to itmages.ru , for example:
itmages.ru/image/view/2815551/2b6f1599
itmages.ru/image/view/2815537/2b6f1599

Therefore I would suggest that monitoring for traffic to itmages.ru is a fairly good indicator of compromise.

2 comments:

Derek Knight said...

It is ransomware not Dridex this time and the most evil thing about it, is it uses a legitimate digital signature so it will blow past antiviruses and operating system protections
Correctly digitally signed files are treated as good

idiocat78 said...

anyone know who this guy is? Got hacked by him a while ago. Anyone else a victim?