Sponsored by..

Monday 9 December 2013

"TNT UK Limited Self Billing Invoice" malware spam

This fairly terse spam email comes with a malicious attachment:

Date:      Mon, 9 Dec 2013 20:32:19 +0800 [07:32:19 EST]
From:      Accounts Payable TNT [accounts.payable@tnt.co.uk]
Subject:      TNT UK Limited Self Billing Invoice 5321378841

Download the attachment. Invoice will be automatically shown by double click. 
Attached is an archive file called TNT UK Self Billing Invoice.zip (VirusTotal detection rate 6/49) which in turn contains a malicious executable TNT UK Self Billing Invoice.exe (detection rate 6/47) which has an icon that make it look like a PDF file.

Automated analysis tools [1] [2] [3] show an attempted connection to 2dlife.com on 5.9.182.220 (JoneSolutions.Com, Philippines). I can see only two domains on this server, the other one being 2dlife.fr so I would assume that both are compromised and blocking access to this IP address is the way to go.


No comments: