From: Simply carpets [sales@simplycarpets.co.uk]So far this morning I have only seen a single sample of the Word document which is undetected by any anti-virus vendors. This document contains a malicious macro [pastebin] which then downloads an additional component from:
Date: 12 January 2015 at 08:11
Subject: Invoice from simply carpets of Keynsham Ltd
Your invoice is attached. Please remit payment at your earliest
convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
simply carpets of Keynsham Ltd
http://haselburg.cz/js/bin.exe
This is then saved as %TEMP%\TYUhfdtUUUdsf.exe. This also has a low detection rate (identified as Dridex), and the Malwr report shows that it attempts to contact the following well-known malware C&C IPs:
74.208.11.204 (1&1, US)
59.148.196.153 (HKBN, Hong Kong)
It probably also drops a malicious DLL, although the Malwr report does not show that.
Recommended blocklist:
59.148.196.153
74.208.11.204
UPDATE: a second version of the malicious document is also in circulation, again undetected by AV vendors, but this time the macro downloads from:
http://shared.radiosabbia.it/js/bin.exe
This is exactly the same binary as downloaded by the other sample.
UPDATE 2015-01-13
If you receive a spam like this and are in the UK, the good folks at Simply Carpets request that you report it to report it to ActionFraud:Have you received a spoof email from us ref invoice 12983? Call fraud office 03001232040 ref nfrc150100902706. Thank you for your support
3 comments:
I have had one of these today.
Thanks for info. I wont open attachment
I have also had one of these arrive today....have not and will not open document attached. Thanks for info!
yep i got one too thanks for info
Post a Comment