From: invoices@ebillinvoice.comThis spam is not from UK Fuels Ltd or ebillinvoice.com and is a forgery. Attached is a malicious Word document which in the sample I have seen is undetected by AV vendors. This downloads a file from the following location:
Date: 11 December 2014 at 08:06
Subject: UK Fuels E-bill
Customer No : 35056
Email address : [redacted]
Attached file name : 35056_49_2014.doc
Dear Customer
Please find attached your invoice for Week 49 2014.
In order to open the attached DOC file you will need
the software Microsoft Office Word.
If you have any queries regarding your e-bill you can contact us at invoices@ebillinvoice.com.
Yours sincerely
Customer Services
UK Fuels Ltd
======================================================
This email, its content and any files transmitted with
it are confidential and intended solely for the use of
the individual(s) to whom it is addressed.
If you are not the intended recipient, be advised that
you have received this email in error and that any use,
dissemination, forwarding, printing or copying of
this email is strictly prohibited.
======================================================
http://KAFILATRAVEL.COM/js/bin.exe
This is downloaded and saved to %TEMP%\LNKCLHSARFL.exe. This binary only has a detection rate of 3/56 at VirusTotal.
The Malwr report shows that it POSTs data to 203.172.141.250 (Ministry of Education, Thailand), which has been commonly used in this sort of attack (I strongly recommend that you block this IP). It also drops a DLL which is probably Dridex, which has a detection rate of only 1/55.
UPDATE 2014-12-12
Another spam run pushing this is in progress, with two different Word attachments seen so far (all called 35056_49_2014.doc. These are currently undetected by AV vendors [1] [2] and contains two slightly different macros [1] [2] [pastebin] that then attempt to download a binary from one of the following locations:http://imperialenergy.ca/js/bin.exe
http://jnadvertising.com/js/bin.exe
This is then saved as %TEMP%\RPDWVRNDBGX.exe. This executable is malicious but has a VirusTotal detection rate of just 2/56. The ThreatExpert report shows connections to:
203.172.141.250 (Ministry of Education, Thailand)
74.208.11.204 (1&1, US)
Both these IPs have been seen before and are definitely worth blocking. According to the Malwr report, this executable drops a DLL widely identified as the Dridex banking trojan.
4 comments:
We see the binary POSTing to 203.172.141.250:8080
@Macro, yes. That IP has been used many times recently, it's in the Malwr report.
Strange coincidence - I seem to have the same customer number!
I got the exactly the same customer number - bit - I DON'T LIVE I IN THE UK.
Post a Comment