Sponsored by..

Monday 21 October 2013

"Last Month Remit" spam / Remit_10212013.exe

This bogus remittance spam comes a malicious attachment:

Date:      Mon, 21 Oct 2013 15:08:15 +0100 [10:08:15 EDT]
From:      Administrator [docs9@victimdomain]
Subject:      FW: Last Month Remit

File Validity: 21/10/2013
Company : http://[victimdomain]
File Format: Office - Excel
Internal Name: Remit File
Legal Copyright: ╘ Microsoft Corporation. All rights reserved.
Original Filename: Last month remit file.xls

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it.

The email appears to originate from the victim's own domain, and mentions that domain in the body of the text. The attachment also contains the victims domain in the format Remit_domain.tld.zip  which in turn contains a malicious executable with an icon designed to look like a Microsoft Excel file, in this case it is called Remit_10212013.exe but note that the date is encoded into the filename.

The malicious payload has a very low detection rate at VirusTotal of just 2/47. Automated analysis tools [1] [2] [3] show an attempted connection to p3-sports.com on (Websitewelcome, US). There may be other infected domains on the same IP if previous patterns are repeated. Also, the malware appears to try to connect to the following IPs demonstrating a peer-to-peer capability.


Francis said...

I've had one user accidentally open it and double click on the .exe file. Ran Trend Micro and it found some malware on the system and cleared it off. Haven't really seen much else from the virus, but I'm keeping a lookout.

The executable was 10kb and came accompanied with a .txt file that was blank.

Conrad Longmore said...

@Francis - detection rates for the first part were poor, but it should detect something like Gameover Zeus or Zbot. Trend is having a poor time detecting things at the moment IMO, it might be worth giving it a check with another product or leaving it a few days and scanning it again in case there have been signature updates.

Bobby said...
This comment has been removed by the author.
Bobby said...

We got one of these emails this morning. it went to some random internal email accounts. The odd thing is when i checked it through our external SPAM filter, it wasn't there. When i checked from our exchange message tracking logs, it wasn't there either. It appears as though multiple people are seeing this issue, based on what i found when googling "Original Filename: Last month remit file.xls"

Francis said...

Got a zbot pop as soon as I ran Trend Micro today. I'll also run Windows Defender and Malwarebytes to see if anything detects it.