From: Sage Invoice [firstname.lastname@example.org]
Date: 17 November 2016 at 10:54
Subject: Outdated Invoice
This is a customer service e-mail from © Sage (UK) Limited to [redacted]
Sage Invoice Payments
You have an outdated invoice from Sage Invoice Payments that needs your attention. To find out more details on this invoice, please see the enclosed document attached to this email.
The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies.
We have communicated this information with users as well, and we will continue to communicate with you through email as your transition continues.
This email was sent by: Sage UK Limited
NC1-002-08-25, Newcastle upon Tyne., North Park, NE13 9AA, United Kingdom
Privacy and Security
3/54. Hybrid Analysis shows malicious network traffic to:
substan.merahost.ru/petrov.bin [126.96.36.199] (Mulgin Alexander Sergeevich aka gmhost.com.ua, Ukraine)
A malicious file scsnsys.exe is dropped with a detection rate of 8/53.
The domain sage-invoices.com has been registered by criminals for this action, presumably to allow encrypted end-to-end communication. The no doubt fake WHOIS details are:
Registry Registrant ID: Not Available From Registry
Registrant Name: Antonio Padula
Registrant Organization: Weighpack Systems Inc
Registrant Street: 5605 Rue Cypihot
Registrant City: Saint Laurent
Registrant State/Province: Quebec
Registrant Postal Code: H4S 1R3
Registrant Country: CA
Registrant Phone: +1.5144243344
Registrant Phone Ext:
Registrant Fax Ext:
Registrant Email: email@example.com
I recommend that you block traffic from that domain or check your filters to see who may have it.