Sponsored by..

Wednesday, 14 January 2015

Malware spam: "Les Mills Invoice" / "lmuk.accounts@lesmills.com"

This fake invoice pretends to come from Les Mills but it doesn't, it is a forgery and they are not sending out spam nor have their systems been compromised in any way. Instead, this is being sent by a botnet controlled by organised criminals and carries a malicious attachment.

From:    lmuk.accounts@lesmills.com
Date:    14 January 2015 at 07:49
Subject:    Les Mills Invoice

Dear Customer,
Please find attached an invoice for Les Mills goods/services.  Please note that for Licence Fee invoices the month being billed is the month in which the invoice has been raised unless otherwise stated within.
If you have any queries please email lmuk.accounts@lesmills.com or call 0207 264 0200 and select option 3 to speak to a member of the team.
Best regards,
Les Mills Finance Team
I have personally only seen one sample with an attachment Les Mills SIV035931.doc which is currently undetected by AV vendors and contains this malicious macro [pastebin]. This version of the macro attempts to download a component from:

http://ford-mustang.ro/js/bin.exe

..but this location is currently not working. However, my sources say that there is another download location of:

http://okurimono.ina-ka.com/js/bin.exe

which is loaded by a different version of the DOC that I have not yet seen. This file is saved as %TEMP%\dserrttfsdf.exe and has a VirusTotal detection rate of 2/57. The same source says that it downloads a DLL from the following IPs:

59.148.196.153 (HKBN, Hong Kong)
74.208.11.204 (1&1, US)
81.27.38.97 (Webhuset Datasenter, Norway)

Some of this activity can be seen in the Malwr report including the dropped DLL which has a VirusTotal detection rate of just 2/57.

Recommended blocklist:
59.148.196.153
74.208.11.204
81.27.38.97

okurimono.ina-ka.com

2 comments:

Kitten Herder said...

okurimono.ina-ka.com is currently a parked domain

ddd said...

do you want me to forward you the one they sent me?