"K J Watking & Co" fake Remittance Advice spam

This fake remittance advice spam has been hammering my inbox this morning. It uses randomly generated sender names but has a consistent fake company name of K J Watking & Co which is very close to a legitimate firm K J Watkin & Co who have nothing to do with this.

The spam comes with an Excel spreadsheet which contains a malicious macro.

Some sample spams are as follows:

From:     Brenton Glover
Date:     5 December 2014 at 07:20
Subject:     Remittance Advice for 430.57 GBP


Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Brenton Glover
Senior Accounts Payable Specialist
K J Watking & Co


================

From:     Reba Fletcher
Date:     5 December 2014 at 08:23
Subject:     Remittance Advice for 520.60 GBP


Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Reba Fletcher
Senior Accounts Payable Specialist
K J Watking & Co

================

From:     Jennifer Copeland
Date:     5 December 2014 at 07:36
Subject:     Remittance Advice for 866.73 GBP

Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Jennifer Copeland
Senior Accounts Payable Specialist
K J Watking & Co

================

From:     Tia Maddox
Date:     5 December 2014 at 07:33
Subject:     Remittance Advice for 539.99 GBP


Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Tia Maddox
Senior Accounts Payable Specialist
K J Watking & Co

================

From:     Weston Martinez
Date:     5 December 2014 at 08:33
Subject:     Remittance Advice for 248.65 GBP

Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Weston Martinez
Senior Accounts Payable Specialist
K J Watking & Co

================

From:     Reva Morgan
Date:     5 December 2014 at 08:17
Subject:     Remittance Advice for 649.39 GBP

Please find attached a remittance advice for recent BACS payment.

Any queries please contact us.

Reva Morgan
Senior Accounts Payable Specialist
K J Watking & Co

The Excel attachments have random names such as BAC_0577719P.xls or BAC_581969Q.xls. So far I have seen two versions of these, neither of which are detected as malicious by any vendors [1] [2].

Each spreadsheet contains a different but similar malicious macro [1] [2] [pastebin] which then download a binary from the following locations:

http://79.137.227.123:8080/stat/lld.php
http://124.217.199.218:8080/stat/lld.php

This file is downloaded as test.exe and is then moved to %TEMP%\EWSUVRXTBUU.exe. It has a VirusTotal detection rate of just 2/52. According to the Malwr report this then drops a DLL with another low detection rate which is identified as Dridex. The ThreatExpert report [pdf] indicates that the malware attempts to communicate with the following IPs:

194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
84.92.26.50 (PlusNet, UK)

Recommended blocklist:
194.146.136.1
84.92.26.50
79.137.227.123
124.217.199.218

UPDATE 2014-12-10:

Another spam run is in progress, with a slightly different payload. Again, there are two different XLS files both of which are undetected [1] [2] by AV vendors and containing one of two macros [1] [2] [pastebin] which download from the following locations:

http://41.0.5.138:8080/stat/lld.php
http://217.174.240.46:8080/stat/lld.php

The file is downloaded as test.exe and is saved as %TEMP%\LNUDTUFLKOJ.exe and is the same payload as found in this attack.