Sponsored by..

Thursday 4 February 2016

Malware spam: "January balance £785" / Alison Smith [ASmith056@jtcp.co.uk]

This fake financial spam does not come from J. Thomson Colour Printers, but is instead a simple forgery with a malicious attachment:

From     Alison Smith [ASmith056@jtcp.co.uk]
Date     Thu, 04 Feb 2016 10:52:21 +0300
Subject "January balance £785"

Hi,

Thank you for your recent payment of £672.

It appears the attached January invoice has been missed off of your payment. Could
you please advise when this will be paid or if there is a query with the invoice?

Regards

Alison Smith
Assistant Accountant

  Registered in Scotland 29216
  14 Carnoustie Place
  Glasgow G5 8PB
  Tel: 0141 429 1094
  www.jtcp.co.uk

 P Save Paper - Do you really need to print this e-mail?

The poor company being spoofed has already been hit by this attack recently [1] [2]. The email address of the sender varies from message to message.

Attached is a file IN161561-201601.js which comes in at least five different versions (VirusTotal [1] [2] [3] [4] [5]). This is a highly obfuscated script that looks like this [pastebin] and automated analysis of the various scripts [6] [7] [8] [9] [10] [11] [12] [13] shows that the macro downloads from the following locations (there may be more):

ejanla.co/43543r34r/843tf.exe
cafecl.1pworks.com/43543r34r/843tf.exe


This binary has a detection rate of 2/52 and phones home to:

62.76.191.108 (Clodo-Cloud / IT-House, Russia)

Note that the whole 62.76.184.0/21 block is a haven for malware, but it does also have some legitimate Russian customers. You might want to consider blocking the entire range if your users don't need to visit Russian websites. The payload is the Dridex banking trojan, and although it is unusual to see a plain .js file spammed out like this, it is consistent with botnet 220.

No comments: