Sponsored by..

Thursday, 11 February 2016

Malware spam: "Scan from KM1650" / "Please find attached your recent scan" / "scanner@victimdomain.tld"

This fake document scan leads to malware. It appears to originate from within the victim's own domain, but it is just a simple forgery.

From:    scanner@victimdomain.tld
Date:    11 February 2016 at 10:24
Subject:    Scan from KM1650

Please find attached your recent scan  
Attached is a file =SCAN7318_000.DOC which seems to come in several different varieties (sample VirusTotal results [1] [2] [3]). The Malwr reports [4] [5] [6] indicate the the macro in the document downloads a malicious executable from:

maraf0n.vv.si/09u8h76f/65fg67n
www.sum-electronics.co.jp/09u8h76f/65fg6
7n

The dropped executable has a detection rate of 2/54. As with this earlier spam run it phones home to:

87.229.86.20 (ZNET Telekom Zrt, Hungary)

Block traffic to that IP. The payload is the Dridex banking trojan.



3 comments:

Micol Sinagra said...

I opened it with my mobile. It was a mistake, but apparently the file was sent from my husband. All false. And now? What do I have to do to protect my phone? I often use the phone to buy flights or train tickets. Is this virus dangerous for me (my phone)?
How can I stop it?
Thanks in advance dears.
MS

Victor Homick said...

Thanks, Nice clear description and very timely.

VM said...

Czech version: Scan from km1650

Redards,
Vaclav