Sponsored by..

Wednesday, 10 December 2014

Spam: "Remittance Advice from Anglia Engineering Solutions Ltd"

This spam email does not come from Anglia Engineering Solutions Ltd but instead comes from a criminally-operated botnet and has a malicious attachment.

From:     Serena Dotson
Date:     10 December 2014 at 10:33
Subject:     Remittance Advice from Anglia Engineering Solutions Ltd [ID 334563N]

Dear ,

We are making a payment to you.

Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.

If you have any questions regarding the remittance please contact us using the details below.


Kind regards
Serena Dotson
Anglia Engineering Solutions Ltd
Tel: 01469 520572

The sender's name, ID number and attachment name vary from spam email to spam email. It comes with one of two Excel attachments, both of which are malicious but are undetected by any AV product [1] [2] which contains one of two malicious macros [1] [2] [pastebin] which attempts to download an executable from the following locations:

http://217.174.240.46:8080/stat/lld.php
http://187.33.2.211:8080/stat/lld.php


This file is downloaded as test.exe and is then copied to %TEMP%\LNUDTUFLKOJ.exe. This executable has a VirusTotal detection rate of just 1/55. The ThreatTrack report [pdf] shows attempted connections to the following IPs:

194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
84.92.26.50 (PlusNet, UK)
87.106.246.201 (1&1, Germany)

Traffic to 194.146.136.1 is also confirmed by VirusTotal. The Malwr report shows the same traffic.

The payload is most likely Dridex, a banking trojan.

I recommend that you block traffic to the following IPs:
194.146.136.1
84.92.26.50
87.106.246.201

217.174.240.46
187.33.2.211

No comments: