Sponsored by..

Monday 19 October 2015

Malware spam: "COS007202" / "Stephanie Greaves [sgreaves@btros.co.uk]"

This fake financial spam does not come from Bombardier Transportation but is instead a simple forgery with a malicious attachment:

From     "Stephanie Greaves" [sgreaves@btros.co.uk]
Date     Mon, 19 Oct 2015 12:06:42 +0430
Subject     COS007202

Good morning,

Please see attached purchase order.

Kind regards,

Stephanie Greaves


Administration Apprentice
Bombardier Transportation (Rolling Stock) UK Ltd
Electronics, Cabling, & Interior Division
Litchurch Lane, Derby, DE24 8AD
Attached is a file COS007202.doc which comes in at least three different versions (VT results [1] [2] [3]) each containing a slightly different malicious macro [1] [2] [3] [pastebin].

Analysis of the documents is pending, but they will almost definitely drop the Dridex banking trojan. Please check back later.


UPDATE:
According to these Hybrid Analysis reports [1] [2] [3] , those macros download from the following locations:

euroagroec.com/35436/5324676645.exe
demo9.iphonebackstage.com/35436/5324676645.exe
webmatique.info/35436/5324676645.exe


The binary they download has a VirusTotal detection rate of 3/56 and is saved as %TEMP%\CrowSoft1.exe. Both the VirusTotal and Hybrid Analysis reports show what looks like malicious traffic going to:

157.252.245.49 (Trinity College Hartford, US)

I recommend that you block traffic to that IP.

MD5s:
1de3889fde95e695adf6eadcb4829c6d
7ae379d02b72d5768cc07f4241def163
d9cd6d350cde885bd9c0171b6a56ee52
aea40296ee7eb0c73ae488b918572481

2 comments:

Unknown said...

Saw this same campaign come in as a phish with the following attributes:
Sender: customerservices@ocado.com
Subject: Your receipt for today's Ocado delivery
Attach: receipt.doc
Body:
Hello

Your receipt for today's delivery is attached to this email. I'll be delivering your 12:00-14:00 order and, so you'll know it's me, I'll be driving the Lemon van.

Your order doesn't have any substitutions, everything's there.

See you later,

Paul

Unknown said...

That's how I got it too