Sponsored by..

Monday 4 November 2013

"Payment Overdue - Please respond" spam / Payroll_Report-PaymentOverdue.exe

This fake SAGE spam has a malicious attachment:

Date:      Mon, 4 Nov 2013 21:00:59 +0600 [10:00:59 EST]
From:      Payroll Reports [payroll@sage.co.uk]

Please find attached payroll reports for the past months. Remit the new payment by 11/10/2013 as outlines under our payment agreement.

Bernice Swanson

This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY.

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed. If you are not the intended recipient of this message, please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message and any attached documentation. Thank you. 
Attached is a file PaymentOverdue.zip which in turn contains a malicious executable Payroll_Report-PaymentOverdue.exe with a icon that makes it look like an Excel spreadsheet.

This malware has a VirusTotal detection rate of just 4/47, and automated analysis tools [1] [2] [3] shows an attempted connect to goyhenetche.com on (Singlehop, US), a server that contains many legitimate domains but some more questionable ones too.


Kim said...

We received this email today but did not open the attachment. Can we report it to anyone?

Conrad Longmore said...

@Kim, there's probably little point in reporting it, but as long as you continue to exercise caution with unusual emails then it should help :)

PC.Tech said...

Diagnostic page for AS32475 (SINGLEHOP-INC)
- http://google.com/safebrowsing/diagnostic?site=AS:32475
"... over the past 90 days, 1069 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-11-04, and the last time suspicious content was found was on 2013-11-04... we found 73 site(s) on this network... that appeared to function as intermediaries for the infection of 371 other site(s)... We found 147 site(s)... that infected 543 other site(s)..."