Sponsored by..

Monday, 12 October 2015

Malware spam: "Insurance" / "accounts@nolettinggo.co.uk"

This spam does not come from No Letting Go but is instead a simple forgery with a malicious attachment.

From     [accounts@nolettinggo.co.uk]
Date     Mon, 12 Oct 2015 11:43:16 +0330
Subject     Insurance

Dear all

Please find attached insurance paperwork including EL certificate.  Invoices
will follow at the beginning of November.


In the only sample I have seen so far, the attachment name is SKMBT_C36014102815580.doc which has a VirusTotal detection rate of 8/56. This particular document contains this malicious macro [pastebin] which downloads a malware component from the following location:


The usual pattern is that there are several different versions of the document downloading from different locations, but the payload is the same in all cases. This binary is saved as %TEMP%\gicage.exe and has a detection rate of 2/56.

That VirusTotal report and this Hybrid Analysis report show network traffic to: (TransIP BV, Netherlands)

I strongly recommend that you block or monitor traffic to this IP. The payload is the Dridex banking trojan.



LindaD said...

Many thanks, have that email in my inbox but knew it was not legit. Many thanks for confirmation.

Webb Rowan said...

I wonder what they get out of spam mail like this. It doesn't seem as though they can get money or finance information out of it with replies. It's probably a virus of sorts.