Sponsored by..

Thursday 21 January 2016

Malware spam: "Invoice from COMPANY NAME - 123456"

This spam comes from random senders at random companies with random reference numbers. The attachment is named to reflect those values. For example:

From:    Bettye Davidson
Date:    21 January 2016 at 08:24
Subject:    Invoice from DRAGON OIL - 8454985

 Please find attached a copy of your invoice

 Many Thanks



 Bettye Davidson
 DRAGON OIL


Attachment: DRAGON OIL - inv8454985.DOC

================

From:    Charlotte Atkinson
Date:    21 January 2016 at 08:23
Subject:    Invoice from GULF FINANCE HOUSE - 40610

 Please find attached a copy of your invoice

 Many Thanks



 Charlotte Atkinson
 GULF FINANCE HOUSE

Attachment: GULF FINANCE HOUSE - inv40610.DOC


================

From:    Lucien Drake
Date:    21 January 2016 at 09:26
Subject:    Invoice from HYDROGEN GROUP PLC - 477397

 Please find attached a copy of your invoice

 Many Thanks



 Lucien Drake
 HYDROGEN GROUP PLC

Attachment: HYDROGEN GROUP PLC - inv477397.doc
So far I have seen a couple of different versions of the attachment (VirusTotal [1] [2]) which according to Malwr [3] [4] both download a malicious binary from:

5.189.216.101/dropbox/download.php

This IP belongs to LLHost Inc, Netherlands. You can assume that the IP is malicious.

The dropped binary is named rare.exe, and has an MD5 e6f67b358009f66f1a4840c1eff19c2e of and a detection rate of 4/53. The Malwr report for this shows it phoning home to:

198.50.234.211 (OVH, Canada)

The payload is the Dridex banking trojan, and this behaviour is characteristic of Botnet 120.

Recommended blocklist:
198.50.234.211
5.189.216.101

No comments: