Date: 21 April 2016 at 12:03
Subject: Dispatched Purchase Order
Purchase Order, 11300 / 0006432242, has been Dispatched. Please detach and print the attached Purchase Order.
***Please do not respond to this e-mail as the mailbox is not monitored.
Confidentiality Notice: In accordance with Covance's Data Classification Policy, this email, including attachment(s), is classified as Confidential or Highly Confidential. This e-mail transmission may contain confidential or legally privileged information that is intended only for the individual or entity named in the e-mail address. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or dissemination of the content of this e-mail is strictly prohibited.
If you have received this e-mail transmission in error or this email is not intended for you, please delete or destroy all copies of this message in your possession and inform the sender. Thank you.
Attached is a file with a name matching the reference in the email, e.g. 0006432242.tgz which is a compressed archive file, containing in turn another archive file with a name like 5611205-19.04.2016.tar and it that archive is a malicious script named in an almost identical format the the TAR file (e.g. 5611205-19.04.2016.js). This script has a typical detection rate of 8/56.
So far I have seen two versions of this script, downloading from:
The downloaded binary is the same in both cases. This Hybrid Analysis and DeepViz Analysis indicate network traffic to:
220.127.116.11 (MultiNet AS, Norway)
18.104.22.168 (Topix, Italy)
22.214.171.124 (Impsat, Argentina)
126.96.36.199 (Novanet da Barra Ass e Inf LTDA, Brazil)
The payload appears to be the Dridex banking trojan.