Sponsored by..

Tuesday 10 November 2015

Malware spam: "Itinerary #C003NS39" / "no-reply@clicktravel.com "

This rather terse fake business spam does not come from Click Travel but is instead a simple forgery with a malcious attachment:

From: no-reply@clicktravel.com [mailto:no-reply@clicktravel.com]
Sent: Tuesday, November 10, 2015 11:21 AM
Subject: Itinerary #C003NS39

Please see document attached

Attached is a file Hotel-Fax-V0045G2B_8308427510989318361.xls which contains this malicious macro [pastebin] which (according to this Hybrid Analysis report) downloads a component from:

www.clemenciaortiz.com/87yte55/6t45eyv.exe

So far I have only seen one sample of this, there are likely to be others with different download locations but the same binary. This executable file has a detection rate of 2/55 and that VirusTotal report and this Malwr report indicate traffic to the following IP:

89.108.71.148 (Agava Ltd, Russia)

I strongly recommend blocking traffic to that IP address. The payload is the Dridex banking trojan.

MD5s:
2845499946fd5882f94cc9a4375b364a
2acc52daffb0c66998a84f5a3c57f193

1 comment:

MB said...

I've seen 2 more of this dridex downloader

https://malwr.com/analysis/NzUxY2UyNjYzNWQ2NGQ2Nzk1NTE1NmI0NzMzMmY3YWU/
https://malwr.com/analysis/NmEyOTllMzg5Y2NjNGQ0ZGFjZmU5NTE5ZjFiODY0Mzc/

Cheers M