From: Invoice from Hexis [Invoice@hexis.co.uk]Attached is a malicious Word document S-INV-CREATIFX-465219.doc which actually comes in two different versions (perhaps more) with low detection rates [1] [2] containing two slightly different macros [1] [2] which download a component from one of the following locations:
Date: 15 January 2015 at 06:36
Subject: Invoice
Sent 15 JAN 15 08:30
HEXIS (UK) LIMITED
7 Europa Way
Britannia Park
Lichfield
Staffordshire
WS14 9TZ
Telephone 01543 411221
Fax 01543 411246
http://dramakazuki.kesagiri.net/js/bin.exe
http://cassiope.cz/js/bin.exe
This has a VirusTotal detection rate of 3/57. That report shows the malware phoning home to 74.208.11.204:8080 (1&1 Internet, US) which is a familiar C&C server which you should definitely block traffic to. My sources also identify a couple of other IPs, giving a recommended blocklist of:
59.148.196.153
74.208.11.204
81.27.38.97
UPDATE: the Malwr report shows that it drops a DLL with a VirusTotal detection rate of just 1/57.
Dear Customer,
ReplyDeleteHexis UK Ltd has had their E-mail account hacked early this morning the hacker is sending emails that look like they are coming from Hexis with the following email address (invoice@hexis.co.uk).
If you receive an email from Hexis and are not expecting it then please DO NOT OPEN the email & simply delete it.
Please note that due to huge amount of emails that have been sent, we are receiving a very very high telephone demand from thousands of people.
Should you wish to place an order with Hexis then please bare with us or email us at sales@hexis.co.uk
We thank you for your understanding.
I got this spam email and I can't seem to delete it from my Windows Live Mail inbox. Please help!! I have not opened the email (knew it was spam)
ReplyDeleteTx, Ronny
We received the email and called the company to ascertain what customer data has been obtained. I was forwarded to a Technical member of staff who was confused as to the difference between an ISP & a mail server. He was generally difficult and argumentative, intrusive by asking us who our ISP was and what we do about virus'. After 10 min of going around the reakin I gave up. Our data governance manager will be writing to the business to ascertain the potential implications.
ReplyDeleteI finally was able to delete the mail, after running my antivirus software and closing down the computer completely. As to Hexis, i am wondering why they have my email address anyway, as i've never had anything to do with them. Doesn't instill confidence in the company or its IT department.
ReplyDeleteLet me stress this - Hexis HAVE NOT BEEN HACKED. The emails are sent from a criminally-controlled botnet who (for unknown reasons) decided to fake these emails to make it look like they came from Hexis. Typically they seem to do this to one or two companies a day.
ReplyDeleteIt is trivially easy to fake who an email appears to be "from", and that is what is happening here.
If you do happen to be a customer of Hexis and you have receive the spam then it is a coincidence, nothing more.
Gents,
ReplyDeleteThere are no PANIC, included VB script is well known :) and was recognized by AVG (and other 3 AV Engines) for now about 30 AV Vendors perform update to their signatures.
I perform initial trace back to source ...Yes , indeed its botnet and originated by Russians :) Cyrillic is a default code page in document ...
Any ideas who is originator?