Sponsored by..

Friday 9 January 2015

Malware spam: DO-NOT-REPLY Datasharp UK Ltd - Monthly Invoice & Report

This spam email pretends to be from a wholly legitimate company called Datasharp UK Ltd but it isn't, it is a spoof. Datasharp is not sending the spam, their systems have not been compromised in any way.
From:    ebilling@datasharp.co
Date:    9 January 2015 at 06:55
Subject:    DO-NOT-REPLY Datasharp UK Ltd - Monthly Invoice & Report


Attached is your Invoice from Datasharp Hosted Services for this month.

To view your bill please go to www.datasharp.co.uk.  Allow 24 hours before viewing this information.

For any queries relating to this bill, please contact hosted.services@datasharp.co.uk or call 01872 266644.

Please put your account number on your reply to prevent delays

Kind Regards
So far I have seen two different Word documents attached with low detection rates at VirusTotal [1] [2] containing one of two malicious macros [1] [2] [pastebin] which then attempt to download an additional component from the following locations:


The tickletootsies.com download location has been cleaned up, but the other one is still working at it downloads a file with a VirusTotal detection rate of 5/56. That VirusTotal report also shows that it attempts to POST to (1&1, US) which has been a malware C&C server for several weeks and is definitely worth blocking.

UPDATE: the Malwr report shows connections to the following IPs which I recommend you block:

No comments: