Sponsored by..

Monday 14 December 2015

Malware spam: "Invoice 14 12 15" / "THUNDERBOLTS LIMITED [enquiries@thunderbolts.co.uk]"

This terse fake financial spam is not from the awesomely-named Thunderbolts Limited but is instead a simple forgery with a malicious attachment:
From:    THUNDERBOLTS LIMITED [enquiries@thunderbolts.co.uk]
Date:    14 December 2015 at 11:15
Subject:    Invoice 14 12 15

This message contains 2 pages in PDF format.
Curiously, the bad guys have gone as far as to include a fake header to make it look like a fax:

X-Mailer: ActiveFax 3.92
 
Attached is a file fax00163721.xls which is fairly obviously not a PDF document. So far I have seen two versions of this with a detection rate of 6/55 [1] [2] and which these Malwr reports [3] [4] indicate download a malicious binary from:

exfabrica.org/437g8/43s5d6f7g.exe
test-cms.reactive.by/437g8/43s5d6f7g.exe


This binary has a detection rate of 0/54. That VirusTotal report and this Hybrid Analysis both show traffic to:

199.7.136.84 (Megawire, Canada)

This malware is likely to be Dridex. Given that it is similar to the one found here,  I would recommend blocking network traffic to:

199.7.136.84
221.132.35.56
202.69.40.173
78.47.66.169


MD5s:
a0de2560362cc6dfc53d1cd5ff50559b
bd22c4b0b6996a8405b2d33696e1e71e
b1fff594a8877042efd0ed4d67f6feb6




No comments: