Sponsored by..

Tuesday, 19 January 2016

Malware spam: "Thank you for purchasing from Cheaper Travel Insurance - 14068156"

This fake financial spam comes with a malicious attachment:

From     info17@Resellers.insureandgo.com
Date     Tue, 19 Jan 2016 14:27:06 +0530
Subject     Thank you for purchasing from Cheaper Travel Insurance - 14068156

Your policy number: MF/CP/205121/14068156

Dear customer, Thank you for buying your travel insurance from Cheaper.
Your policy documents are attached.
Date: 18/01/2016
Amount: £849.29
Quote number: 21272810
Policy number: MF/CP/205121/14068156

Insurance is arranged by Insure & Go Insurance Services Ltd who are authorised and regulated by the Financial Conduct Authority. Insure & Go Insurance Services Ltd Registered Address: 10th Floor Maitland House, Warrior Square, Southend-on-Sea, Essex SS1 2JY. Registered in England and Wales (Company Number: 04056769). Calls may be recorded and monitored.

The sender appears to be from info[some-random-number]@Resellers.insureandgo.com, but it is just a simple forgery. Attached is a malicious Word document that I have seen five different versions of (VirusTotal results [1] [2] [3] [4] [5]).

The Malwr reports on the samples [1] [2] [3] [4] [5] show download locations as:


This has a VirusTotal result of 3/54. The Malwr and VirusTotal reports combined with this Hybrid Analysis show traffic to: (Immedion LLC, US / VirtuaServer Informica Ltda, Brazil) (Bulgarian Academy Of Sciences, Bulgaria) (Triara.com, S.A. de C.V., Mexico) (Ignum s.r.o, Czech Republic) (Ozhosting.com Pty Ltd, Australia) (TE Data, Egypt) (Linknet, Indonesia) (Network Devices, Turkey)

The payload is the Dridex banking trojan, and this activity is consistent with the botnet 220 campaign.

Dropped file MD5:

Attachment MD5s:

Recommended blocklist:


The payload has now changed to one with an MD5 of 4f272b8af966ccd73880888015d87e40 and a detection rate of 2/54. The Malwr report indicates that the network behaviour is pretty much the same.

No comments: