Sponsored by..

Friday 25 August 2017

Malware spam: "Your Sage subscription invoice is ready" / noreply@sagetop.com

This fake Sage invoice leads to Locky ransomware. Quite why Sage are picked on so much by the bad guys is a bit of a mystery.

Subject:       Your Sage subscription invoice is ready
From:       "noreply@sagetop.com" [noreply@sagetop.com]
Date:       Thu, August 24, 2017 8:49 pm

Dear Customer

Your Sage subscription invoice is now ready to view.

Sage subscriptions

To view your Sage subscription invoice click here 

Got a question about your invoice?

Call us on 0845 111 6604

If you're an Accountant, please call 0845 111 1197
If you're a Business Partner, please call 0845 111 7787

Kind Regards

The Sage UK Subscription Team

Please note: There is no unsubscribe option on this email, as it is a service
message, not a marketing communication. This email was sent from an address that
cannot accept replies. Please use the contact details above if you need to get in
touch with us.

The link in the email downloads a malicious RAR file. The samples I saw were closely clustered alphabetically.

helpmatheogrow.com/SINV0709.rar
hendrikvankerkhove.be/SINV0709.rar
heinverwer.nl/SINV0709.rar
help.ads.gov.ba/SINV0709.rar
harvia.uz/SINV0709.rar

The RAR file itself contains a malicious VBS script that looks like this [pastebin] with a detection rate of 19/56, which attempts to download another component from:

go-coo.jp/HygHGF
hausgerhard.com/HygHGF
hausgadum.de/HygHGF
bromesterionod.net/af/HygHGF
hartwig-mau.de/HygHGF
hecam.de/HygHGF
haboosh-law.com/HygHGF
hbwconsultants.nl/HygHGF
hansstock.de/HygHGF
heimatverein-menne.de/HygHGF

Automated analysis of the file [1] [2] shows a dropped binary with a 39/64 detection rate, POSTing to 46.183.165.45/imageload.cgi  (Reg.Ru, Russia)

Recommended blocklist:
46.183.165.45




No comments: