From: Briana
Date: 17 December 2014 at 08:42
Subject: PL REMITTANCE DETAILS ref844127RH
The attached remittance details the payment of £664.89 made on 16-DEC-2014 by BACSE.
This email was generated using PL Payment Remittance of Integra Finance System.
Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.
The reference in the subject and the name of the Excel attachment differ from email to email, but are always consistent in the same message. There are two poorly detected malicious Excel files that I have seen [1] [2] containing two slightly different macros [1] [2] which then reach out to the following download locations:
http://23.226.229.112:8080/stat/lldv.php
http://38.96.175.139:8080/stat/lldv.php
The file from these locations is downloaded as test.exe and is then saved to %TEMP%\VMHKWKMKEUQ.exe. This has a VirusTotal detection rate of 1/55. The ThreatTrack report [pdf] shows it POSTing to the following IP:
194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
This IP has been used in several recent attacks and I strongly recommend blocking it.
The Malwr report also shows it dropping a malicious DLL identified as Dridex.
The ThreatExpert report gives some different IPs being contacted:
80.237.255.196 (Denes Balazs / HostEurope, Germany)
85.25.20.107 (PlusServer, Germany)
The Ukrainian IP is definitely malicious, but if you wanted to establish maximum protection then I would recommend the following blocklist:
194.146.136.1
80.237.255.196
85.25.20.107
23.226.229.112
38.96.175.139
3 comments:
would this work on MACS?
@Jonathan, the Macro might run on a Mac, but the file downloaded will only run on a Windows PC.
Thanks Conrad
Post a Comment