Sponsored by..

Wednesday 24 December 2014

Malware spam: Rhianna Wellings / Rhianna@teckentrupdepot.co.uk / Signature Invoice 44281

Teckentrup Depot UK is a legitimate UK company, but these emails are not from Teckentrup Depot and they contain a malicious attachment. Teckentrup Depot has not been hacked, their database has not been compromised, and they are not responsible for this in any way.

From:    Rhianna Wellings [Rhianna@teckentrupdepot.co.uk]
Date:    24 December 2014 at 07:54
Subject:    Signature Invoice 44281

Your report is attached in DOC format.

To load the report, you will need the Microsoft® Word® reader, available to download at http://www.microsoft.com/
Attached is a malicious Word document called Signature Invoice.doc which comes in two different versions, both of which are undetected by AV vendors [1] [2]. Each one contains a different macro [1] [2] [pastebin] which then downloads an additional component from one of these two locations:

http://Lichtblick-tiere.de/js/bin.exe
http://sunfung.hk/js/bin.exe

The file is saved into the location %TEMP%\1V2MUY2XWYSFXQ.exe and currently has a VirusTotal detection rate of just 4/56. The ThreatExpert report shows traffic to the following IPs:

74.208.11.204 (1&1 Internet, US)
81.169.156.5 (Strato AG, Germany)
59.148.196.153 (HKBN, Hong Kong)

According to the Malwr report it also drops a malicious DLL with a detection rate of 24/56, detected as the Dridex banking trojan.

Recommended blocklist:
74.208.11.204
81.169.156.5
59.148.196.153
lichtblick-tiere.de
sunfung.hk

3 comments:

Unknown said...
This comment has been removed by the author.
Unknown said...

Conrad. What do you use to analyse these macros and get the download locations of the Dridex

Conrad Longmore said...

@Derek, you can extract the macro with OfficeMalScanner and then it is a question of deobfuscating the VB script. Because it's an interpreted language, that can be fairly easy (you can use its own code against it).