Sponsored by..

Thursday 8 October 2015

Malware spam: "Deposit Payment" / "Frederico Kessler [Frederico.Kessler@Gamesys.co.uk]"

This fake financial email does not comes from Frederico Kessler but is instead a simple forgery with a malicious attachment:

From     Frederico Kessler [Frederico.Kessler@Gamesys.co.uk]
Date     Thu, 08 Oct 2015 04:14:23 -0700
Subject     Deposit Payment

Hi,

Attached is receipt of transfer regarding the deposit increase for our new contract
to the Cherry Tree Cottage.
Let me know if its all sorted.

Frederico Kessler
Product Owner | Games Platform
[cid:9DCD81C9-9267-4802-AAE1-B3AF9887E131]
[gamesysign]
4th Floor, 10 Piccadilly
London, W1J 0DD

Email: frederico.kessler@gamesys.co.uk

Attached is a malicious Excel document named Payments Deposit.xls which comes in five different versions (so far) [1] [2] [3] [4] [5] each containing a slightly modifed macro [example] which downloads a malicious executable from the following locations:

archives.wnpvam.com/bvcb34d/983bv3.exe
swaineallen.uk/bvcb34d/983bv3.exe
katastimataone.com/bvcb34d/983bv3.exe
vsehochuti.unas.cz/bvcb34d/983bv3.exe
dmedei.3x.ro/bvcb34d/983bv3.exe


These download locations have been in use for a couple of other spam runs [1] [2] but now the payload has been altered and has a VirusTotal detection rate of 3/56.  That VirtusTotal report and this Hybrid Analysis report show traffic to:

198.61.187.234 (Rackspace, US)

I recommend that you block traffic to that IP.

MD5s:
5bddf5271b1472eca61a6a2d66280020
8df205eff019378f33c7b512f81a2087
aa93cbf333d1dcaf1408207938dbd5c3
d7a5bf7ae458e3584a01d1c5df0186db
59cd64d7e98f71870b6746ecb4b31b40
fa31f4fced30b9b1a720f4072afde32d


No comments: