Sponsored by..

Tuesday 20 October 2015

Malware spam: "GOMEZ SANCHEZ"[postmail@bellair.net]

This spam comes with a malicious attachment:

From     "GOMEZ SANCHEZ"[postmail@bellair.net]
To    
Date     Tue, 20 Oct 2015 13:14:56 +0430
Subject     victim@victimdomain.tld

Congratulations

Print out the attachment file fill it and return it back by fax or email

Yours Sincerely

GOMEZ SANCHEZ
The "Subject" is the victim's own email address. Attached is a file FINAL NOTIFICATION.xls which comes (so far) in three different variants (VirusTotal [1] [2] [3]) contains one of these three malicious macros [1] [2] [3] .

Analysis of the payload is pending, but is likely to be the Dridex banking trojan. Please check back later.

MD5s:
24d9cd4caca15882dc4f142b46a16622
9a10c47dcdd28017afeec5aca2c71191
d63f6150b45227c20901ee887062d8de

UPDATE:

Sources say that the payload is Shifu, not Dridex. So far, three download location have been identified..

ladiesfirst-privileges.com/656465/d5678h9.exe
papousek.kvalitne.cz/656465/d5678h9.exe
pmspotter.wz.cz/656465/d5678h9.exe

This file is downloaded as %TEMP%\shhg32c.exe and it has a VirusTotal detection rate of 4/56 (MD5 e4bb8a66855f6987822f5aca86060f2c). The Hybrid Analysis reports [1] [2] indicate that it calls home to:

fat.uk-fags.top / 188.166.250.20 (Digital Ocean, Singapore)

I recommend that you block traffic to that IP.

No comments: