Sponsored by..

Thursday 21 April 2016

Malware spam: "FW: Latest order delivery details" is somewhat rude

This fake financial spam leads to malware:

From:    Milan Bell [Milan.Bell5@viuz-en-sallaz.fr]
Date:    21 April 2016 at 17:45
Subject:    FW: Latest order delivery details

Good morning!

Hope you are good.

Yesterday and the day before my colleague (Glover Hector) sent you a request regarding the invoice INV_6325-2016-victimdomain.tld past due.

I kindly ask you to give us a reply finally. We're getting no answers from you. Please stop ignoring invoice requests.

Many thanks and good luck

Milan Bell

DORIC NIMROD AIR ONE LTD

tel. 443-682-9021
The rather rude pitch here is a canny bit of social engineering, aimed to make you open the link without clicking. I have only seen one sample of this at present and I guess that the details vary from email to email. In this case the attachment was called pastdue_tovictimdomain.tld340231.zip containing a malicious script pastdue60121342016.js.

This script has a VirusTotal detection rate of just 1/56. The Malwr report and Hybrid Analysis for this show it downloading a malicious binary from:

trendmicro.healdsburgdistricthospital.com/RIB/assets.php

Cheekily the URL references a well-known security company.  The domain it is using is a hijacked GoDaddy domain, and the download location is actually hosted at:

176.103.56.30 (PE Ivanov Vitaliy Sergeevich / Xserver.ua, Ukraine)

You can be that this is a malicious server and I recommend blocking it. This script downloads a binary named alarm.exe which has a detection rate of 4/56. The Hybrid Analysis for this sample shows network connections to:

103.245.153.154 (OrionVM, Australia)
176.9.113.214 (Hetzner, Germany)
210.245.92.63 (PT Telecom Company, Vietnam)
23.249.1.171 (Datacate , US)


It is not clear what the payload is, but there are indications it is the Dridex banking trojan.

Recommended blocklist:
176.103.56.30
103.245.153.154
176.9.113.214
210.245.92.63
23.249.1.171



No comments: