Sponsored by..

Monday, 30 November 2015

Malware spam: "Message from mibser_00919013013"

I have only one sample of this rather terse email with no body text:
From:    scan@victimdomain
Reply-To:    scan@victimdomain
To:    hiett@victimdomain
Date:    30 November 2015 at 09:22
Subject:    Message from mibser_00919013013
The spam appears to originate from within the victim's own domain, but it does not. In the sample I saw, the attachment was named Smibser_00915110211090.xls, had a VirusTotal detection rate of 3/54 and contained this malicious macro [pastebin]. .

According to this Hybrid Analysis report and this Malwr report the macro downloads a malicious executable from:


This binary has a detection rate of 3/55. Automated report tools [1] [2] show network traffic to: (Cizgi Telekomunikasyon Anonim Sirketi, Turkey) (FPT Telecom Company, Russia) (Sibirskie Seti Novokuznetsk, Russia) (Centr, Kazakhstan)

The payload is likely to be the Dridex banking trojan:


Recommended blocklist:

No comments: