Sponsored by..

Thursday, 3 December 2015

Malware spam: "Invoice from DATANET the Private Cloud Solutions Company" / "Holly Humphreys [Holly.Humphreys@datanet.co.uk]"

This fake financial email does not come from Datanet but is instead a simple forgery with a malicious attachment:
From:    Holly Humphreys [Holly.Humphreys@datanet.co.uk]
Date:    3 December 2015 at 08:57
Subject:    Invoice from DATANET the Private Cloud Solutions Company

Dear Accounts Dept  :

Your invoice is attached, thank you for your business.

If you have any queries please do not hesitate to contact us.

Regards

DATANET.CO.UK
01252 810010 Accounts Support from 9am to 5.30pm Monday to Friday
01252 813396 Technical Support from 8am to 8pm Monday to Friday

Please reply to Accounts@datanet.co.uk
________________________________
 Holly Humphreys
Operations
Datanet - Hosting & Connectivity
E:

Holly.Humphreys@datanet.co.uk

W:

www.datanet.co.uk

T:

01252 810010

F:

01252 813391

S:

01252 813396 - Normal Support: 8am-8pm Mon-Fri, Critical Break Fix Support: 24x7


DATANET.CO.UK Limited, Cloud Hosting & Connectivity Service Provider. Datanet is an ISO 9001 & ISO 27001 certified
business with the mantra of "CIA" - "Confidentiality, Integrity and Availability" at the heart of our private cloud solutions.

Information contained in this communication is confidential or restricted and is solely for the use of the intended recipient and others authorised to receive it.
If you are not the intended recipient you are hereby notified that any disclosure, distribution or action taken based on this email is prohibited and may be unlawful.

Registered Office: DATANET.CO.UK Limited, Aspen House, Barley Way, Ancells Business Park, Fleet, Hampshire, GU51 2UT Registered in England - No. 03214053
I have seen only one sample of this spam with an attachment with a somewhat interesting name of C:\\Users\\HOLLY~1.HUM\\AppData\\Local\\Temp\\Inv_107666_from_DATANET.CO..xls which saves on my computer as C__Users_HOLLY~1.HUM_AppData_Local_Temp_Inv_107666_from_DATANET.CO..xls. This contains this malicious macro [pastebin] and has a VirusTotal detection rate of 3/55.

According to this Malwr report and this Hybrid Analysis the XLS file downloads a malicious binary from :

encre.ie/u5y432/h54f3.exe

There will probably be other versions of this document downloading from other locations too. This has a VirusTotal detection rate of just 1/55 and that report plus this Malwr report  indicate malicious network traffic to:

162.208.8.198 (VPS Cheap, US / Sulaiman Alfaifi, Saudi Arabia)
94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
78.47.66.169 (Hetzner, Germany)


The payload is almost definitely the Dridex banking trojan.

MD5s:
1bfd7cdc2731ec85617555f63473e3c9
0dcb805a3efa215bde97aa1f32559b77


Recommended blocklist:
162.208.8.198
94.73.155.8/29
78.47.66.169


UPDATE

I have seen another version of the document with an MD5 of c7fa6a1f345aec2f1db349a80257f459 and a VirusTotal result of 3/54. According to this Malwr report it downloads from:

parentsmattertoo.org/u5y432/h54f3.exe



4 comments:

elvis lives said...

I have just received same email- thanks for the warning :)

dsarthurs said...

Me too. Thanks much. I received both the Datanet and Industrial Cleaning Materials emails within an hour, early a.m. Dec 3, 2015.

Carly Montague said...

Same here, both Datanet and Industrial Cleaning Materials emails late morning on the 3rd Dec.. Just did a quick search as I never open this sort of mail, thanks for the posts...

seb dean said...

its doing the rounds... had a fewvothers recently...