Sponsored by..

Tuesday 20 January 2015

Malware spam: "Undefined transactions (need assistance)"

This spam comes in a few different variants, however the body text always seems to be the same:

From:    Joyce Mills
Date:    20 January 2015 at 10:30
Subject:    Undefined transactions (need assistance) Ref:1647827ZM

Good morning
I have recently found several payments on statement with the incorrect reference. Amounts appear to be from your company, could you please confirm these payments are yours and were made from your company's bank account. If no then please reply me as soon as possible. Thanks.
P.S. Undefined transactions are included in the attached DOC.

Regards,
Joyce Mills
Senior Accounts Payable
PAYPOINT

The reference number is randomly generated and changes in each case, attached is a malicious Word document also containing the same reference number (e.g. 1647827ZM.doc). Also the name in the "From" field is consistent with the name on the bottom of the email, although this too seems randomly generated. Some examples of names, job titles and companies in use include:
Joyce Mills
Joshua King
Gonzalo Hurley
Dona Bullock
Floyd Mcintyre
Courtney Berg
Latasha Mills

Senior Accounts Payable
Remittance Manager
Accounts Payable
Remittance Manager
Accounting Team
Chef Accountant
Senior Accountant

PAYPOINT
MAJEDIE INVESTMENTS
PETROPAVLOVSK PLC
JARDINE LLOYD THOMPSON GROUP
HENDERSON GLOBAL TRUST PLC
JOHNSON MATTHEY
BLACKROCK SMALLER COMPANIES TST PLC
I have seen two different variants of Word document in circulator, both undetected by AV vendors [1] [2] and each one contains a slightly different malicious macro [1] [2] [pastebin] which attempt to download from the following locations:

http://189.79.63.16:8080/koh/mui.php
http://203.155.18.87:8080/koh/mui.php

This file is downloaded as 20.exe and is then copied to %TEMP%\324234234.exe. It has a VirusTotal detection rate of 2/57. That report indicates that it attempts to phone home to:

194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)

This IP is commonly used in this type of attack, I would strongly recommend you block it.

The Malwr report shows that this drops a Dridex DLL with a VirusTotal detection rate of 2/57, which is the same DLL as seen earlier today.

No comments: