From: billing.address.updates@ADP.com [mailto:billing.address.updates@ADP.com]Most of the ones that I have seen are malformed and instead of a link they just say <html> which is one reason that it is getting through the spam filter. I have seen one live one, leading to [donotclick]www.bingemann-buerosysteme.de/services/invoice1211.php
Sent: 12 November 2014 16:28
Subject: ADP Past Due Invoice#39911564
Your ADP past due invoice is ready for your review at ADP Online Invoice Management .
If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
Review your ADP past due invoice here.
Important: Please do not respond to this message. It comes from an unattended mailbox.
This downloads a ZIP file invoice1211_pdf28.zip which in turn contains a malicious executable invoice1211_pdf.exe which has a VirusTotal detection rate of 6/54.
It then contacts the following URLs according to the Malwr report:
http://188.165.206.208:30083/1211uk1/HOME/0/51-SP3/0/
http://188.165.206.208:30083/1211uk1/HOME/1/0/0/
http://shahlart.com/miniuk1.pmg
http://mboaqpweuhs.com/mhninqiiifrd3ku
http://mboaqpweuhs.com/nt09kq47fv6k0
Recommended blocklist:
188.165.206.208
shahlart.com
mboaqpweuhs.com
5 comments:
Thanks! This is great info. The one sample I have been able to obtain of the email has malformed links, so your link was useful for testing. Do you have any other live samples that have different links/executables?
Here is what I received a few moments ago in my e-mail folder. It has the links I think you are looking for. I hope this helps.
Your ADP past due invoice is ready for your review at ADP Online Invoice Management .
If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
Review your ADP past due invoice here.
Important: Please do not respond to this message. It comes from an unattended mailbox.
***SPAM*** ADP Past Due Invoice#14355998
the links do not copy
Thanks for trying. When forwarding the email to a gmail account the links are removed, so maybe google is onto this one!
I am testing different combinations of solutions for AV/malware blocking, and wanted more samples of a fresh cryptovirus build to swing at them.
Post a Comment