Sample 1 - INVOICE ADVISE 08/01/2015
From: Mia Holmes
Date: 8 January 2015 at 09:11
Subject: INVOICE ADVISE 08/01/2015
Good morning
Happy New Year
Please could you advise on the November GBP invoice in the attachment for me?
Many thanks
Kind Regards
Mia Holmes
Accountant
SULA IRON & GOLD PLC
Sample 2 - NOVEMBER INVOICE
From: Reed BarreraOther sender names include:
Date: 8 January 2015 at 09:16
Subject: NOVEMBER INVOICE
Good morning
Happy New Year
Please could you advise on the November GBP invoice in the attachment for me?
Many thanks
Kind Regards
Reed Barrera
Controller
ASSETCO PLC
Marlin RodriquezThe attachment is in a Word document (in one sample it was a Word document saved as an XLS file). Example filenames include:
Accountant
CLONTARF ENERGY PLC
Olive Pearson
Senior Accountant
ABERDEEN UK TRACKER TRUST PLC
Andrew Salas
Credit Management
AMTEK AUTO
RBAC_9971IV.xls
INV_6495NU.doc
2895SC.doc
There are four different malicious files that I have seen so far, all with low detection rates [1] [2] [3] [4] which contain in turn one of these macros [1] [2] [3] [4] leading to a download from one of the following locations:
http://188.241.116.63:8080/mops/pops.php
http://108.59.252.116:8080/mops/pops.php
http://178.77.79.224:8080/mops/pops.php
http://192.227.167.32:8080/mops/pops.php
This file is downloaded as g08.exe which is then copied to %TEMP%\1V2MUY2XWYSFXQ.exe. This file has a detection rate of 3/56.
The VT report shows a POST to 194.146.136.1:8080 (PE "Filipets Igor Victorovych", Ukraine) which is a well-known malware server which I recommend that you block. This IP is confirmed in the Malwr report which also shows a dropped DLL which is the same as found in this spam run and has a detection rate of just 2/56.
For researchers only, a copy of the files can be found here. Password = infected
No comments:
Post a Comment