Sponsored by..

Thursday 30 October 2014

"Further Reminder" spam has a malicious Word document attached

Another round of malicious Word documents today, this time with the subject "Further Reminder" from random senders. For example:

From:     Milan Roach
Date:     30 October 2014 11:35
Subject:     Further Reminder SN4215796

Good afternoon,

Please see attached statement sent to us, I have highlighted on this the payments made to you in full and attached a breakdown of each one for you to correctly allocate. Hope this helps.
Thanking you in advance.

Many Thanks & Kind Regards
Milan Roach

Senior Accounts Payable Clerk
Finance Department
Attached is a malicious Word document with the same name as the subject (e.g. CopySN4215796.doc). There are at least two different versions of this document [Version 1 VirusTotal / Malwr report, Version 2 VirusTotal / Malwr report]. If macros are enabled on the target machine then a malicious macro [pastebin] runs and downloads a futher component from one of the two following locations (there may be more):

This binary has a VirusTotal detection rate of 7/54 and the Malwr report shows it contacting the following URLs:$2%20/@sVAEx5n%2Dq2fhFR%2C2E3nTsY7CsJG$0XGvz/eyWejESZTRrqx2vf/&

It also drops a file 2.tmp which is actually a DLL with a VirusTotal detection rate of 14/54 which identifies it clearly as a variant of  Cridex.

Recommended blocklist:

UPDATE: a contact tells me that this malware also connects to a config file at:
..so I have updated the blocklist above to include these.

No comments: