Sponsored by..

Friday, 12 December 2014

wavecable.com "Order - R58551" spam

This fake invoice comes with a malicious attachment.

From:    kaybd2@wavecable.com
Date:    12 December 2014 at 17:17
Subject:    Order - R58551

Thanks for placing order with us today! Your order is now on process.



Outright Purchase: 6949 US Dollars

Please click the word file provided below to see more details about your order.

BILLING DETAILS

Order Number: ZJW139855932
Purchase Date: 13.07 11.12.2014
Customer Email: info@[redacted]

Attached is a malicious Word document INVOICE_7794.DOC which has a detection rate of 4/56 on VirusTotal. That contains this macro [pastebin] which downloads an executable from:

http://www.2fs.com.au/tmp/rkn.exe

That has a VirusTotal detection rate of 5/55. The Malwr report shows HTTP traffic to the following URLs:

hxxp://5.187.1.78/
hxxp://46.250.6.1/yQ0rNl=kQUO%2C/Uy.%20%206vPh/sGiK2LtSiX75BirV=%3DyaE%2D0jZ5/
hxxp://46.250.6.1/QO&KN@tZOvZ%2Ba/JW/wI%20%3FqZCSz&CH
hxxp://46.250.6.1/lgXM77$&N~/fn0R&OPvY/0%26EySg.2
hxxp://46.250.6.1/BJHWvUNBFb%7E8FS7%20/ku_%2CLOZC/%3DA%26S@R%2CRsl
hxxp://46.250.6.1/hjr5mo3/Jx%2C%3DKciOwsc0h.ICAQCFqbLFj6Q6bvtk&2/%3F%2DcG~k1R%2Cfu%2Djty&Kch2t~I
hxxp://46.250.6.1/1o26ZIXNlEyK/68G%2DvlteIkwiQ~WG%2C9/qFcRXJ9%24FHkr
hxxp://46.250.6.1/ISTfN%3D%2BpR6z/sV3sFy=/&rwxy/8
hxxp://46.250.6.1/fBuw/4%241PoLX5P=ThT4Hyzu/wbkj9q/zTt
hxxp://46.250.6.1/StKeINKIun6v$l0%2478bpb=1.8S%2B/q~S%2BcrS%24F%24y/@HA%2B7e%7EK%2Bp1HeQ3l_Qlc/L
hxxp://5.135.28.106/riBmIaB8bRi/sb1VvM/U=_=/PPa
hxxp://46.250.6.1/fCBz41ytqa.%2DjS8cj_rj=m%2Dzuxyr/lcvsbBxg%2Dsx%2DfS/%3D7lus%3F7e%3D%2D2.ou61s~
hxxp://46.250.6.1/zkzwh6f08q+e%2Dj%26rf.21/96ih%2D4.lhse8%20x8kgn%2B/59f3%7Ef+j%7Es%3D=w%2C+z91o
hxxp://46.250.6.1/yw1oy1pkp2+f%20au%26p@%2D/fmqyfl=zerhywesazsz2&s%2C%24%24%2Csv@k=+sqvs%3F%7Ep/

The ThreatExpert report shows POSTing to 209.208.62.36:8080

Combining some extra lookup in the Malwr report indicates that these following IPs are suspect:

209.208.62.36 (Atlantic.net, US)
5.187.1.78 (Fornex Hosting, Germany)
46.250.6.1 (Briz, Ukraine)
5.135.28.106 (OVH, France)
66.213.111.72 (Ohio Public Libraries, US)
95.211.188.129 (Leaseweb, Netherlands)

A malicious DLL is dropped onto the system with a VirusTotal detection rate of 2/56. The only detections are generic, but similar dropped DLLs have been the Dridex banking trojan.

Recommended blocklist:
209.208.62.36
5.187.1.78
46.250.6.1
5.135.28.106
66.213.111.72
95.211.188.129


1 comment:

Kitten Herder said...

When downloading the executable file, the Macro spoofs a Mac's User Agent string:

'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML like Gecko) Version/8.0 Safari/600.1.25'

This is probably done to discourage Information Security analysts from bothering to investigate the exposure, if they happen to notice the download in their logs.