From: IFS Applications [Do_Not_Reply@vitacress.co.uk]Attached is a file Payment Advice_593016.doc which is actually one of two different documents with zero detections at VirusTotal [1] [2] and contain one of two malicious macros [1] [2] [pastebin] that download a malware binary from one of the following locations:
Date: 15 December 2014 at 07:49
Subject: DOC-file for report is ready
The DOC-file for report Payment Advice is ready and is attached in this mail.
http://gv-roth.de/js/bin.exe
http://notaxcig.com/js/bin.exe
This file is saved as %TEMP%\DYIATHUQLCW.exe and is currently has a VirusTotal detection rate of just 1/52.
The ThreatExpert report and Malwr report shows attempted connections to the following IPs which have been used in many recent attacks and should be blocked if you can:
203.172.141.250 (Ministry of Education, Thailand)
74.208.11.204 (1&1, US)
The malware almost definitely drops the Dridex trojan onto the target system, but I have not been able to get a sample of this yet.
UPDATE 2014-12-16
A second wave of spam is in progress with a pair of new malicious Word documents with low detection rates [1] [2] containing new macros [1] [2] that download a malicious file from the following locations:http://finepack.co.in/js/bin.exe
http://loneleaf.ca/js/bin.exe
This file is saved as %TEMP%\TQWTGECOROR.exe and it currently has a detection rate of just 1/54. The Malwr report shows it posting to 74.208.11.204 yet again, although it does not show the dropped Dridex binary that I would expect to see.
No comments:
Post a Comment