Sponsored by..

Monday, 5 October 2015

Malware spam: "Your Invoices - Incident Support Group Ltd" / "repairs@isgfleet.co.uk"

This fake financial spam is not from Incident Support Group Ltd but is instead a simple forgery with a malicious attachment:

From     repairs@isgfleet.co.uk
Date     Mon, 05 Oct 2015 15:47:11 +0700
Subject     Your Invoices - Incident Support Group Ltd

Please find attached your invoices from Incident Support Group Ltd. If you wish to
change the email address we have used please email repairs@isgfleet.co.uk with the
correct details.
In the sample I saw, the attached file was 216116.xls which has a VirusTotal detection rate of 6/56 and contains this malicious macro [pastebin] which then downloads a compenent from the following location:

agridiotiko.com/432/4535.exe

Note that at the time of writing, I only have one sample of this. There are usually several versions of the attachment in these spam runs, with different download locations. The malicious binary has a detection rate of 4/56.

The VirusTotal report and this Hybrid Analysis report indicate traffic to:

84.246.226.211 (ELB Multimedia, France)

Blocking or monitoring traffic to and from the port would probably be prudent. The payload is most likely the Dridex banking trojan.

UPDATES:
Other download locations spotted so far:

www.poncho-zwerfkatten.be/432/4535.exe
conserpa.vtrbandaanchanet/432/4535.exe
www3.telusnet/~a7a78529/432/4535.exe
216.119.122167/432/4535.exe

MD5s:
87b01608b8170029816df5eed11cd9c5
2c78ee663f0e0f6a4f651e92afaf243e
75d87be2b43a61d35e938393be0633d5
ce94c036dac774b3cb8c7a07ff333c7f
29b56ddfab41f92b0447783e1ef6ccd8
896b4edc333dba1bb533b9ca18549fe7

10 comments:

easystar said...

Hello...
Thanks for the article.

Got one too. Exactly the same content and xls.

The man in the corner said...

Just got this one, Windows Defender didn't see anything bad in it but I'm naturally suspicious so Googled it

Frank Love said...

Just got this same email in my inbox as well. I never open attachments from emails I'm unsure about but Googled it just to be on the safe side.

Jig Wells said...

Yes got one too, along with the usual cluttering of paypal scams (do these work on anybody anymore!?) obviously fake as hell. Obviously if you don't know them, haven't paid for services or applied for anything- at the very least you should recognise the name- then safely ignore, if it's important they can call or write.

security said...

Block:
hxxp://216[.]119[.]122[.]167/432/4535[.]exe
hxxp://www3[.]telus[.]net/~a7a78529/432/4535[.]exe
hxxp://www[.]poncho-zwerfkatten[.]be/432/4535[.]exe
hxxp://conserpa[.]vtrbandaancha[.]net/432/4535[.]exe

Cheers,
Dado

chrism said...

Thanks just received one one of these. Will delete.

Ross Putman said...

I just accidentally opened the same email and viewed the attachment in edit mode, so I'm assuming the macro ran. How would I go about removing this virus, I've already ran windows defender and scanned my computer but it didn't find anything?

Conrad Longmore said...

@Ross - it might have downloaded all sorts of things. I would recommend shutting it down first of all, then resetting your banking passwords if you have them saved on the computer. In a few days time the AV vendors should be up-to-date with their signatures, but you need something better than Windows Defender. The F-Secure Online Scanner and Trend Micro Housecall are two good online scanners.

One sign of infection is a file C:\Users\[username]\AppData\Local\Temp\zzA.exe which will (if present) show that the machine is infected, but other components may have been downloaded and just removing it may not clean up the machine.

Ross Putman said...

@Conrad Longmore

I've checked my temp folder like you suggested, the .exe file wasn't there and nothing has been created or changed in my temp folder for the last 5 days so does that mean I'm okay?

Luckily I don't use this computer whatsoever for any banking or anything using passwords.

Conrad Longmore said...

@Ross, looks promising but I would still give it a scan in a few days. Maybe invest in some better anti-virus software too, Kaspersky seems good at detecting this. :)