Sponsored by..

Tuesday 6 January 2015

Malware spam: SGBD National Payments Centre / Saint Gobain UK / This is your Remittance Advice

This fake financial spam has a malicious payload:

Date:    6 January 2015 at 08:56
Subject:    This is your Remittance Advice #ATS29858

DO NOT REPLY TO THIS EMAIL ADDRESS

Please find attached your remittance advice from Saint Gobain UK.
For any queries relating to this remittance please notify the Payment Enquiry Team on 01484913947

Regards,
SGBD National Payments Centre

Note that this email is a forgery. Saint Gobain UK are not sending the spam, nor have their systems been compromised in any way. Instead, criminals are using a botnet to spam out malicious Excel documents.

Each email has a different reference number, and the attachment file name matches. The telephone number is randomly generated in each case, using a dialling code of 01484 which is Huddersfield (in the UK). There will probably be a lot of confused people in Huddersfield at the moment.

There are actually four different version of the malicious Excel file, none of which are detected by anti-virus vendors [1] [2] [3] [4] containing four different but similar macros [1] [2] [3] [4] [pastebin] which then download a component from one of the following locations:

http://213.174.162.126:8080/mans/pops.php
http://194.28.139.100:8080/mans/pops.php
http://206.72.192.15:8080/mans/pops.php
http://213.9.95.58:8080/mans/pops.php


This file is downloaded as test.exe and it then saved as %TEMP%\1V2MUY2XWYSFXQ.exe. It has a VirusTotal detection rate of just 3/48. That report shows that the malware then connects to the following URLs:

http://194.146.136.1:8080/
http://179.43.141.164/X9BMtSKOfaz/e&WGWM+o%3D_c%26%248/InRRqJL~L
http://179.43.141.164/TiHlXjsnCOo8%2C/fS%24P/VZFrel2ih%2Dlv+%26aTn
http://179.43.141.164/suELl1XsT%2CFX.k%26z4./sn%3F=/%3Ffw/HFBN@8J
http://179.43.141.164/fhmhi/igm/c&@%7E%2Dj.==m~cg_%2B%2C%3Daggs.%2Dkgm%26$~@fk@g/a%2Cgm+lkb%2D.~$kh/


194.146.136.1 is allocated to PE "Filipets Igor Victorovych" in Ukraine. 179.43.141.164 is Private Layer Incin Panama. I would definitely recommend blocking them and possibly the entire /24s in which they are hosted.

The Malwr report shows no activity, indicating that it is hardened against analysis.

Recommend blocklist:
194.146.136.1
179.43.141.164

213.174.162.126
194.28.139.100
206.72.192.15
213.9.95.58

1 comment:

Kitten Herder said...

Infected systems appear to use this user-agent string for the C2:

'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:10.0) like Gecko'