Sponsored by..

Monday, 8 December 2014

"Soo Sutton" / "INVOICE 224245 from Power EC Ltd" spam

Another variant of this spam, this fake invoice comes with a malicious Word document attached.
From:     soo.sutton966@powercentre.com
Date:     8 December 2014 at 10:57
Subject:     INVOICE 224245 from Power EC Ltd

Please find attached INVOICE number 224245 from Power EC Ltd
Attached are one of two Word documents, both with the name 224245.doc but with slightly different macros. Neither are currently detected by any AV vendors [1] [2]. Inside the DOC is one of two malicious macros [1] [2] [pastebin] which then downloads an executable from one of the following locations:

http://aircraftpolish.com/js/bin.exe
http://gofoto.dk/js/bin.exe


This file is then saves as %TEMP%\CWRSNUYCXKL.exe and currently has zero detections at VirusTotal. The ThreatExpert report shows that it connects to:

203.172.141.250 (Ministry of Education, Thailand)
74.208.11.204 (1&1 Internet, US)

According to the Malwr report this executable drops a DLL with a slightly better detection rate of 5/53.

Recommended blocklist:
203.172.141.250
74.208.11.204
aircraftpolish.com
gofoto.dk

UPDATE 2014-12-09:

A further couple of variants are being spammed out, both with low detections by VirusTotal [1] [2] and containing one of two malicious macros [1] [2] [pastebin] which down,loads from the following locations:

http://kawachiya.biz/js/bin.exe
http://darttoolinc.com/js/bin.exe


This is then saved as %TEMP%\YVXBZJRGJYE.exe and is presently undetected by vendors. The Malwr report and ThreatExpert report vary slightly, but both show traffic to the same IPs are before. The Malwr report also indicates that a DLL is dropped with a detection rate of 4/52 which is identified as the Dridex trojan.

Recommended blocklist:
203.172.141.250
74.208.11.204
 kawachiya.biz
 darttoolinc.com

4 comments:

Megan Stilwell said...

I recvd this email this morning but only one of the 2 documents was opened. I immediately deleted document and email. Is my computer still at risk?

Conrad Longmore said...

@Megan - the macro will activate only if you have macros enabled. The best indicator is to look in your %TEMP% (e.g. C:\Users\Yourname\AppData\Local\Temp) folder for an executable of the name described in the article.

Unknown said...

Hi, i got this email yesterday, it caught me out as it was a word doc that was attached & it was sent to our company email so could well have been something ordered that i wasn't aware of. i didn't actually open the doc, just briefly clicked on the side option to 'open as web page'. the window only just opened then i closed it again as it dawned on me what it probably was.

i've done an AVG (free) full scan, malwarebytes anti-malware & also a scan with an online checker that was recommended on another forum (eset virus checker) - all have come back clear & my laptop is running fine. word appears to be working ok too, nothing out of the ordinary.

mozilla firefox is my browser.

i thought i was ok, but i've just had to log into my bank a/c & a box came up that asked if i wanted to save my password, i don't ever remember seeing this option before & now i'm worried! (edit:just had to log in to my google a/c to post this & the same box came up 'save password?')

i've just searched on pc for both of the files mentioned above & nothing has been found.

Unknown said...

An instructive post. People to really know who they want to reach and why or else, they'll have no way to know what they're trying to achieve. People need to hear this and have it drilled in their brains..
Thanks for sharing this great article.
check for web design toronto tips and solution.