Sponsored by..

Thursday, 17 December 2015

Malware spam: "Currys PC World [noreply_stores@currys.co.uk]" / "Your eReceipt"

This very convincing-looking email is not from Currys PC World but is instead a simple forgery with a malicious attachment.

From:    Currys PC World [noreply_stores@currys.co.uk]
Date:    17 December 2015 at 08:27
Subject:    Your eReceipt


Currys PC World
Thank you.
Thank you for your purchase from Currys PC World.
Your e-receipt is attached for your records.
We understand that sometimes products need to be returned. You can either return it to your nearest store or call 0344 561 1234 from the UK or 1890 400 001 from the Republic of Ireland to speak to our customer services team to discuss a refund or exchange. Please have your e-receipt number to hand to speed up the process.

Some email mobile apps don't always show attachments. If you can't see the attachment, simply forward this email to another email address to view and save.

Thank you once again from everyone at Currys PC World.
Terms and conditions
You are receiving this service email because you made a purchase from us and requested an electronic copy of your receipt. Please do not reply to this email. If you need to contact us you can do so at: customer.services@currys.co.uk
Currys is a trading name of DSG Retail Limited, Maylands Avenue, Hemel Hempstead, Hertfordshire HP2 7TG, registered in England No. 504877, VAT No. 226659933. © DSG Retail Ireland Ltd, Unit 9A, The Park, Carrickmines, Dublin 18, Ireland Incorporated in Ireland, a private company with issued shares. Registration Number 259460.



e-Receipt.doc
77K
There are a few different versions of the attachment with fairly low detection rates [1] [2] and analysis of those two examples shows that the macro downloads from the following locations:

old.durchgegorene-weine.de/65dfg77/kmn653.exe
www.riucreatives.com/65dfg77/kmn653.exe


The payload here is the Dridex banking trojan and is identical to the one found here and here.

1 comment:

Leanne Roberts said...

Thanks for posting this. It came up at work this morning and surprise, surprise, the user opened the attachment.