Sponsored by..

Thursday, 17 December 2015

Malware spam: "12/16 A Invoice"

This fake financial spam leads to malware:
From:    Kelley Small
Date:    17 December 2015 at 08:39
Subject:    12/16 A Invoice

Please find attached a recharge invoice for your broadband.

Many thanks,
Kelley Small
The sender's name is randomly generated, for example:

Harris Page
Leonel Kramer
Gracie Fuentes
Earlene Aguirre
Jerri Whitfield
Art Keith
Freeman Gregory
Moses Larson
Leanna Fletcher

There is an attachment in the format invoice36649009.doc where the number is randomly generated. This comes in at least six different versions but they do not appear to be uniquely generated (VirusTotal results [1] [2] [3] [4] [5] [6] [7]). Detection rates are close to zero.

The Malwr reports for those documents is a mixed bag [1] [2] [3] [4] [5] [6] [7] is a mixed bag, but overall they spot data being POSTed to:

Sources tell me there is another download location of:

Those IPs are likely to be malicious and belong to: (Veraton Projects Ltd, Netherlands) (Denis Pavlovich Semenyuk / TutHost, Ukraine) (Hostpro Ltd, Ukraine)

They also GET from:


A file karp.exe  is dropped with an MD5 of 1fbf5be463ce094a6f7ad345612ec1e7 and a detection rate of 3/54. According to this Malwr report this communicates with: (SC-Nextra Telecom SRL, Romania)

It's not clear what the payload is, but probably some sort of banking trojan such as Dridex.


Recommended blocklist:


UPDATE 12/1/16 

The same message format is being used for another attack with a slightly different payload, which is the same as used in this spam run.

No comments: