Sponsored by..

Thursday 11 February 2016

Malware spam: "Your Sage Pay Invoice INV00318132" / Sagepay EU [accounts@sagepay.com]

This spam does not come from Sage Pay but is instead a simple forgery with a malicious attachment:

From:    Sagepay EU [accounts@sagepay.com]
Date:    11 February 2016 at 13:21
Subject:    Your Sage Pay Invoice INV00318132


Please find attached your invoice.

We are making improvements to our billing systems to help serve you better and because of that the attached invoice will look different from your previous ones.  You should have already received an email that outlined the changes, however if you have any questions please contact accounts@sagepay.com or call 0845 111 44 55.

Kind regards

Sage Pay
0845 111 44 55
Attached is a file INV00318132_V0072048_12312014.xls which appears to come in a wide variety of different versions (at least 11). The VirusTotal detection rate for a subset of these is 4/54 [1] [2] [3] [4] [5] [6]. Only a single Malwr report seemed to work, indicating the macro downloading from:

www.phraseculte.fr/09u8h76f/65fg67n

This dropped executable has a detection rate of 3/54. The Malwr report shows it phoning home to:

84.38.67.231 (ispOne business GmbH, Germany)

I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan.

No comments: