Sponsored by..

Wednesday 7 January 2015

Malware spam: "Eliza Fernandes" / "NUCSOFT-Payroll December 2014"

This fake spam pretends to be from an Indian company called Nucsoft but it isn't, instead it comes with a malicious Word document attached. Nucsoft are not sending out the spam, nor have their systems been compromised in any way.

From:    Eliza Fernandes [eliza_fernandes@nucsoft.co.in]
Date:    7 January 2015 at 07:27
Subject:    NUCSOFT-Payroll December 2014

Please find the data for payroll processing.


Please forward the PDF of summary.

 Regards,
Eliza Fernandes


NUCSOFT Ltd.
Finance Dept.

-------------------------------------------------------------------------------------------------
DISCLAIMER:
This message contains privileged and confidential information and is intended only for an individual named. If you are not the intended recipient, you should not disseminate, distribute, store, print, copy or deliver this message. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted,
-------------------------------------------------------------------------------------------------
                          NUCSOFT : With You - Until Success  and Beyond....
                          Visit us at http://www.nucsoft.com
-------------------------------------------------------------------------------------------------
Attached is a malicous Word document (not a PDF) called Payroll Dec'14.doc which has a VirusTotal detection rate of 3/56. This contains a malicious macro [pastebin] which downloads a component from the following location:

http://cerovski1.net.amis.hr/js/bin.exe

This is saved as %TEMP%\1V2MUY2XWYSFXQ.exe and has a VirusTotal detection rate of just 1/56.

The Malwr report shows network connections to the following IPs:

59.148.196.153 (HKBN, Hing Kong)
74.208.11.204 (1&1, US)

It also drops a DLL with a detection rate of 20/56, identified as Dridex.

Recommended blocklist:
59.148.196.153
74.208.11.204

Note - for research purposes, a copy of the DOC and dropped files is here [zip]. Password is "infected".

2 comments:

ager said...

We had the same emails and were able to spot the URL in the hex and block easily enough but I am new to looking at these. How were you able to tell the file would be saved to : %TEMP%\1V2MUY2XWYSFXQ.exe


Thanks - Great work on this Blog.

Unknown said...

Looking at the client list of this company, This malware spam attack run could turn out to have a lot more serious consequences than other similar attacks. Several of the clients that use this company are major banks, other financial institutes and tech companies. We all know it only needs 1 single user with the required admin access or having confidential info on their computer to bring down the company. I dread to think what could be the possible outcome if a payroll admin for HP or HSBC or Barclays bank opened the attachment & got infected