Sponsored by..

Friday 19 December 2014

Malware spam: "BACS payment Ref:901109RW"

This spam comes with a malicious attachment, in a format similar to the following:

From:    Fern
Date:    19 December 2014 at 10:09
Subject:    BACS payment Ref:901109RW


Please see below our payment confirmation for funds into your account on Tuesday re invoice 901109RW

Accounts Assistant
Tel:  01874 662 346
Fax: 01874 501 248

To add credibility, the attachment has the same name as the reference in the subject and body text (in this case it is 901109RW.xls). The reference is randomly generated.

So far, I have seen three different type of attachment, all undetected by AV vendors [1] [2] [3] containing a different malicious macro each [1] [2] [3] [pastebin]. These macros then try to download an executable from the following locations:

http://78.129.153.23/sstat/lldvs.php
http://5.9.253.183/sstat/lldvs.php
http://185.48.56.123/sstat/lldvs.php


The file is downloaded as test.exe and is then moved to %TEMP%\VMUYXWYSFXQ.exe. It has a VirusTotal detection rate of 2/54. VT also reports that it phones home to 194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)

Additional analysis is pending.

UPDATE:
A further version of this is doing the rounds with an attachment which also has zero detections at VirusTotal and a different macro [pastebin], however it downloads the same binary from http://78.129.153.23/sstat/lldvs.php as the previous example does.

No comments: