Sponsored by..

Thursday, 19 November 2015

Malware spam: "Your Google invoice is ready" / "billing-noreply@google.com"

This fake invoice does not come from Google, but is instead a simple forgery with a malicious attachment:

From:    billing-noreply@google.com
Date:    19 November 2015 at 12:40
Subject:    Your Google invoice is ready

Attached to this email, please find the following invoice:

Invoice number: 1630884720
Due date: 19-Nov-2015
Billing ID: 34979743806

Please follow instructions on the invoice for remitting payment. If you have questions, please contact collections-uk@google.com.

Yours Sincerely,
The Google Billing Team

Billing ID: 0349-7974-3806
The attachment is named 1630884720.doc which comes in at least two versions (VirusTotal analysis [1] [2]) and which contains a malicious macro like this [pastebin]).

Analysis of the documents is still pending (please check back), although the payload is almost definitely the Dridex banking trojan.


The Hybrid Analysis of the two documents [1] [2] shows attempted downloads from the following locations:

bhoomiconsultants.com/8i65h4g53/o97i76u54.exe [active]
bhairavraffia.com/8i65h4g53/o97i76u54.exe [file not found]

This binary has a detection rate of 1/54 and those reports indicate malicious network traffic to the familiar IP address of: (Ministry of Education, Thailand)

I strongly recommend that you block traffic to that IP.

1 comment:

Pete Hainlen said...

C2 channels: