Sponsored by..

Monday 14 July 2014

"Important - Internal Only" spam

This spam comes with a malicious payload:

Date:      Mon, 14 Jul 2014 16:12:49 +0000 [12:12:49 EDT]
From:      Administrator [Administrator@victimdomain]
Subject:      Important - Internal Only

File Validity: 07/14/2014
Company : http://victimdomain
File Format: Office - Excel ,PDF
Name: Internal Only
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: Internal Only.pdf

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the
person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by
intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any
dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and
may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this
e-mail and any printouts immediately from
your system and destroy all copies of it. 
Attached to the message is an archive file Internal Only - victimdomain which in turn contains a malicious executable Internal Only.scr which has a VirusTotal detection rate of 9/54 which indicates that this is a variant of Upatre. The Malwr analysis shows that it contacts the following URLs:


This drops a few files, including mkird.exe which has a VirusTotal detection rate of 6/54 (Malwr analysis here) and an encoded file 404[1].tar which only McAfee spots as being suspect (Upatre-Enc.b).

Blocking the following domains may give some protection:

No comments: