Sponsored by..

Wednesday, 20 January 2016

Malware spam: "Your device is on its way" / "O2 Lease [O2BusinessContracts@o2.com]"

This fake financial email is not from O2 but is instead a simple forgery with a malicious attachment. The attachment may not be downloadable in all cases due to an error in formatting.

From:    O2 Lease [O2BusinessContracts@o2.com]
Date:    20 January 2016 at 09:05
Subject:    Your device is on its way

O2
Hello
Great news, you've accepted the O2 Lease terms and conditions and the hire agreement.
We've put your order through. So we'll be sending your new device out in the next few days.
Best regards
O2 Customer Service
You can find out more about being on O2 at o2.co.uk/hello
For the latest updates and news, why not follow us on
Facebook
or
Twitter
We're better, connected
This email is sent from Telefónica UK Limited, a company registered in England and Wales. Registered office: 260 Bath Road, Slough, Berkshire, SL1 4DX.
This electronic message contains information from Telefonica UK or Telefonica Europe which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email.
Switchboard: +44 (0)113 272 2000
Email: feedback@o2.com



Telefonica UK Limited 260 Bath Road, Slough, Berkshire SL1 4DX Registered in England and Wales: 1743099. VAT number: GB 778 6037 85
Telefonica Europe plc 260 Bath Road, Slough, Berkshire SL1 4DX Registered in England and Wales: 05310128. VAT number: GB 778 6037 85
Telefonica Digital Limited 260 Bath Road, Slough, Berkshire SL1 4DX Registered in England and Wales: 7884976. VAT number: GB 778 6037 85

Attached is a file CCAConfirmedAgreement-07540353301-1052136.DOC which (if you can download it) comes in at least two versions (VirusTotal results [1] [2]) and the Malwr reports for those [3] [4] show the malicious document downloading from:

www.lassethoresen.com/98jh6d5/89hg56fd.exe
202.191.112.60/~n02022-1/98jh6d5/89hg56fd.exe

www.helios.vn/98jh6d5/89hg56fd.exe [from this spam run]

There are probably some other download locations too. The dropped binary has an MD5 of 7db792adc71e9dc0f6bb28a5f802b7ab and a detection rate of 4/54. Those Malwr reports and the VirusTotal report indicate network traffic to:

216.224.175.92 (SoftCom America Inc., US)

I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan, and the characteristics look like botnet 220.

UPDATE

The payload for today's Dridex 220 runs has been updated to 34781d4f8654f9547cc205061221aea5 with a detection rate of 1/54.

3 comments:

John Crellin said...

Thanks - it's quite good and your blog has helped me be sure it is spam!

John Reed said...

thank you very much, you have saved my bacon. It is very convincing and I know downloaded it. I have reported it to 02.. John Reed

688PT said...

I received this email too. Even hovering the mouse cursor over the links brings up genuine O2 links. Fortunately, I'm very suspicious and thanks to your post will delete it immediately. It's convincing nature may temp some people to open the attachment to check whether they have become victims of ID theft.

Thank you.

Paul Taylor - England.