Sponsored by..

Friday 23 October 2015

Malware spam: "cleaning invoice" / "deborah Sherer" [thesherers@westnet.co.uk]

This fake financial spam comes with a malicious attachment:
From     "deborah Sherer" [thesherers@westnet.co.uk]
Date     Fri, 23 Oct 2015 17:03:19 +0700
Subject     cleaning invoice

Hello

attached is invoice for payment

thanks

Deborah Sherer

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
Attached is a file Cleaning022958.doc which comes in three different versions (VirusTotal results [1] [2] [3]) containing a macro that looks like this [pastebin] and downloads a malicious binary from one of the following locations:

www.bhtfriends.org/tydfyyur54/43e67tko.exe
zomb.webzdarma.cz/tydfyyur54/43e67tko.exe
nisanyapi.com/tydfyyur54/43e67tko.exe

This is saved as %TEMP%\lenderb2.exe and has a VirusTotal detection rate of just 1/55 (that's just a generic detection by Kaspersky).

That VirusTotal report plus this Hybrid Analysis report show network traffic to:

195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)

Private sources also identify these following IPs as part of the C2 infrastructure:

157.252.245.49 (Trinity College Hartford, US)
198.74.58.153 (Linode, US)
68.168.100.232 (Codero, US)


The payload appears to be the Dridex banking trojan.

Recommended blocklist:
195.154.251.123
157.252.245.49
198.74.58.153
68.168.100.232

MD5s:
d897c1cdab10a2c8cb5ce95bff03411f
a4bdc332d9cecafcc8381cd6e5ff4667
16fabe48278f84f8ae1bc682a3bd71d7
c08519230b49ad87bc6aa12933aa0cec


5 comments:

moorthorpesouthelmsallman said...

Just had one myself and put the email address into Google. Pity we can't saturate the email address with spam.
I started getting these emails soon after I changed my mind on buying something from TeenScrapbookinc on i offer.com. Didn't trust the seller who had me commit to buying before he (or she) would send methods of payment to my email address.Certainly didn't want to send them my credit card details. Coincidentally, the 'seller' sent me a link to an invoice but though it had an https url, there was no verisign on the page.
Paypal might be a bind but it's safer.

Anonymous said...

I've just had one of these invoices, and strangely enough I have just ordered craft materials from a couple of crafting websites too.I'm not going to open it, just delete it.

Unknown said...

Got this email also, googled it, thank goodness - deleted. Also posted the warning on FB

Sweetsue said...

We also had one today and clicked on invoice but nothing showed using mobile and replied as we didn't know who it was and just had mail non delivery notice - will it have caused problems replying and clicking on invoice? I'm not sure if it is?

aPAULing said...

Hi there, I also just got that email sent to myself from postmaster. I will search the web for any type of link to these fuckers and let you know if I find them, so what we spam them or send some scareware back to them as revenge. These people need to be stopped by us.