From: Courtney Stark
Date: 7 January 2015 at 12:27
Subject: Invoice 1252.70 GBP
Please find attached invoice for 1252.70 GBP.
Any queries please contact us.
Courtney Stark
Senior Accounts Payable Specialist
AVIVA
The "sender" is spoofed from multiple companies, so far I have seen:
Courtney Stark
Senior Accounts Payable Specialist
AVIVA
Phyllis Cobb
Senior Accounts Payable Specialist
DIGITAL BARRIERS LTD
Colby Burris
Senior Accounts Payable Specialist
XAAR
Randy Welch
Senior Accounts Payable Specialist
CAMELLIA
Kendra Cervantes
Senior Accounts Payable Specialist
TRINITY EXPLORATION & PRODUCTION
In the samples I have seen, there are two slightly different malicious Excel files with fairly low detection rates [1] [2] containing one of these two macros [1] [2] [pastebin] which downloads an executable from one of the following locations:
http://87.106.165.232:8080/mans/pops.php
http://193.136.19.160:8080/mans/pops.php
These locations are also found with this spam run and the payload is identical.
No comments:
Post a Comment