This spam claims to be from the legitimate firm AquAid, but it isn't. Instead it comes with a malcious attachment. The email is a forgery, AquAid are not sending the spam, nor have their systems been compromised in any way.
From: Tracey Smith [tracey.smith@aquaid.co.uk]
Date: 18 December 2014 at 07:24
Subject: Card Receipt
HiPlease find attached receipt of payment made to us todayRegardsTraceyTracey Smith| Branch AdministratorAquAid | Birmingham & Midlands CentralUnit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TPTelephone: 0121 525 4533Fax: 0121 525 3502Mobile: 07795328895Email: tracey.smith@aquaid.co.ukAquAid really is the only drinks supplier you will ever need with our huge product range. With products ranging from bottled and mains fed coolers ranging up to coffee machines and bespoke individual one off units we truly have the right solution for all environments. We offer a refreshing ethical approach to drinks supply in that we support both Christian Aid and Pump Aid with a donation from all sales. All this is done while still offering a highly focused local service and competitive pricing. A personalised sponsorship certificate is available for all clients showing how you are helping and we offer £25 for any referral that leads to business.************************************************************ *********
AquAid Franchising Ltd is a company registered in England and Wales with registered number 3505477 and registered office at 51 Newnham Road, Cambridge, CB3 9EY, UK. This message is intended only for use by the named addressee and may contain privileged and/or confidential information. If you are not the named addressee you should not disseminate, copy or take any action in reliance on it. If you have received this message in error please notify the sender and delete the message and any attachments accompanying it immediately. Neither AquAid nor any of its Affiliates accepts liability for any corruption, interception, amendment, tampering or viruses occurring to this message in transit or for any message sent by its employees which is not in compliance with AquAid corporate policy.
In the sample I have seen, the attachment is called CAR014 151239.doc which is malicious, but only has a VirusTotal detection rate of 2/54. This particular document (note that there are usually several different documents in the spam run) contains this malicious macro [pastebin]. This macro downloads a malware executable from:
http://sardiniarealestate.info/js/bin.exe
..which is saved as %TEMP%\YEWZMJFAHIB.exe - this has a marginally better detection rate of 3/53.
The ThreatExpert report shows connections to the following two IPs:
74.208.11.204 (1&1, US)
81.169.156.5 (Strato AG, Germany)
The Malwr report shows that it drops a DLL which is very poorly detected but is probably the Dridex banking trojan.
Recommended blocklist:
74.208.11.204
81.169.156.5
FOR RESEARCHERS ONLY: a copy of the malicious DOC attachment plus dropped files can be found here. Password is "infected". Only handle these if you know what you are doing.
UPDATE 2015-01-13
This spam keeps coming back every few days or so. This time the attachment has a VirusTotal detection rate of 3/57 and the malicious macro it contains [pastebin] downloads from:http://forpetsonly.cz/js/bin.exe
This file has a VirusTotal detection rate of 2/57. The Malwr report shows it phoning home to:
59.148.196.153
74.208.11.204
It also drops a DLL with a detection rate of 2/57.
UPDATE 2015-02-25
Another version of this spam run is in progress, with these malicious macros [1] [2] downloading from the following locations:http://junidesign.de/js/bin.exe
http://jacekhondel.w.interia.pl/js/bin.exe
This malware is the same as used in this spam run.
11 comments:
so how do we extract the macro from a document? would you please instruct me in doing that? I want to analyze this activities too.
@ peter,
use officemalscanner with the 'info' parameter to extract the macro. tool found here: http://www.reconstructer.org/code.html
Cheers,
Yes, OfficeMalscanner will extract the VBA macro. But the code is obfuscated, so it needs more work. If you CAREFULLY deconstruct the macro to remove the dangerous bits then you can use the macro to decode itself. (It might be worth doing that on a throwaway machine not connected to the internet).
We have been hammered with these emails ... not just 2-3 IPS but 1000!
here's the list
http://pastebin.com/xnYELwSM
The macros in today’s versions download from progresser-en-photo.com/js/bin.exe or curie-hennebont.fr/js/bin.exe whichwhich is saved as %TEMP%\EXXQJIULSJO.exe and has a virus Total detection rate of 6/54
Another run of these today to go with all the other macro malware. Today’s version of this malware downloads from phaluzan.net.amis.hr/js/bin.exe which is saved as %temp%\1V2MUY2XWYSFXQ.exe and has a current Virus total detection rate of 7/56.
I've been getting it today as well Derek.
I've just opened that attachment thinking it was the legit company .... what do I do will it effect me in anyway?
@Rachael Roberts: if you have a PC and have Microsoft Office with Macros enabled, then yes. But macros are only enabled by default on really old versions.
A quick indicator of infection is to check your TEMP folder for a randomly-named file (something like YEWZMJFAHIB.exe). You can do this in a number of ways, but perhaps the easiest is to open up a Command Prompt in Windows and then type:
DIR %TEMP%\*.EXE
..followed by the Enter key. If you can see such a file with a recent date and time, then you are infected. If you can't, then I think you will be clean.
They started sending it out again today. 400 emails has hit my server so far.
Seen it today, this time sent from
REED TODD-NAYLOR
With a file name of CARD564 628779.docm
Post a Comment