Sponsored by..

Thursday, 30 October 2014

"Further Reminder" spam has a malicious Word document attached

Another round of malicious Word documents today, this time with the subject "Further Reminder" from random senders. For example:

From:     Milan Roach
Date:     30 October 2014 11:35
Subject:     Further Reminder SN4215796

Good afternoon,

Please see attached statement sent to us, I have highlighted on this the payments made to you in full and attached a breakdown of each one for you to correctly allocate. Hope this helps.
Thanking you in advance.

Many Thanks & Kind Regards
Milan Roach

Senior Accounts Payable Clerk
Finance Department
Attached is a malicious Word document with the same name as the subject (e.g. CopySN4215796.doc). There are at least two different versions of this document [Version 1 VirusTotal / Malwr report, Version 2 VirusTotal / Malwr report]. If macros are enabled on the target machine then a malicious macro [pastebin] runs and downloads a futher component from one of the two following locations (there may be more):

http://81.7.3.101:8080/doc/6.exe
http://195.154.126.245:8080/doc/6.exe


This binary has a VirusTotal detection rate of 7/54 and the Malwr report shows it contacting the following URLs:

http://212.59.117.207/fJ5SAAWU%7EQh@T%7E/.c0ip%2D~wm&4iS$2%20/@sVAEx5n%2Dq2fhFR%2C2E3nTsY7CsJG
http://217.160.228.222/mqtGeOgnz/1%7EzXP@%20F~YhNF/tznfsAv2%2BWsXzjfHO2$0XGvz/eyWejESZTRrqx2vf/&


It also drops a file 2.tmp which is actually a DLL with a VirusTotal detection rate of 14/54 which identifies it clearly as a variant of  Cridex.

Recommended blocklist:
212.59.117.207
217.160.228.222
91.222.139.45
81.7.3.101
195.154.126.245

UPDATE: a contact tells me that this malware also connects to a config file at:
212.59.117.207:8080
91.222.139.45:8080
..so I have updated the blocklist above to include these.

No comments: