Sponsored by..

Wednesday 17 December 2014

Malware spam: UK GEOLOGY PROJECT by "Rough & Tumble" with "Moussa Minerals" [roughandtumble63@yahoo.co.uk]

This somewhat odd and terse spam comes with a malicious attachment.

From:    UK GEOLOGY PROJECT by "Rough & Tumble" with "Moussa Minerals" <roughandtumble63@yahoo.co.uk>
Date:    17 December 2014 at 07:20
Subject:    Invoice as requested
There is no body text, but there is an malicious DOC attachment named 20140918_122519.doc which come in two slightly different versions with poor detection rates [1] [2]. The macros have been subtly changed from recent spam runs [1] [2] [pastebin] and download a second stage from one of the following locations:

http://openstacksg.com/js/bin.exe
http://worldinlens.net/js/bin.exe


This malicious executable is saved as %TEMP%\ADGYMSEKRJE.exe and has a detection rate of only 2/54.

Is is common with recent similar malware attempts, it attempts to phone home to 74.208.11.204 (1&1, US) as shown in the ThreatTrack report [pdf]. The Malwr report indicates a dropped file with an MD5 of ee826c184155a1fa1aea984f914e606a which is probably Dridex.

No comments: