From: Kate Williams
Date: 10 November 2014 09:40
Subject: invoice 8798556 November
Please find attached your November invoice, we now have the facility to email invoices,
but if you are not happy with this and would like a hard copy please let me know.
New bank details for BACS payments are Santander Bank Sort Code 8798556 Account No 5608798556.
Thanks very much
The number of the invoice is random and is consistent between the subject and attachment (in this case invoice_8798556.doc). There are two different attachments, both poorly-detected at VirusTotal [1] [2] each containing a malicious macro [1] [2].
I haven't been able to analyse it myself yet, but according to this comment it downloads a binary from adeline.de/js/bin.exe which has a low VirusTotal detection rate and for which the comments from user borromini say:
#malware #dridexUPDATE
Downloaded by malicious word doc with macro (f9d6161e1b26cf6faab4ac0eecde3a7d).
POST requests to
84.40.9.34:8080
87.106.84.226
Also tried 37.139.23.200:8080 and 213.143.97.18:8080
The macros I mentioned download from the following locations:
http://adeline.de/js/bin.exe
http://antjegoerner.de/dokumente/bin.exe
The executable is then copied to %TEMP%\CQRZKMIESEX.exe and the ThreatTrack report [pdf] shows the malware connecting to 84.40.9.34 (Hostway, UK) where it POSTS to /hCsYvpW%26lZaTGPBgK$W%264P49%24%2BNU&Y/H%26%20@Kg
5SvSh8+unz%7Eg6f%24G on that server.
No comments:
Post a Comment