Sponsored by..

Friday, 13 February 2015

Malware spam: "Alison Longworth [ALongworth@usluk.com]" / "PURCHASE ORDER (34663)"

This fake purchase order spam comes with a malicious attachment:

From     Alison Longworth [ALongworth@usluk.com]
Date     13/02/2015 10:57
Subject     PURCHASE ORDER (34663)

Please find attachment below of our Purchase Order No. 34663.  Could you
please confirm receipt of this order and also advise when goods will be
available to collect.

NOTE TO ACCOUNTS: Could you please ensure all invoices for goods supplied
are forwarded promptly.  Invoices received later than 2 working days after
month end will be dated, processed and paid the following month.  To avoid
delays invoices can be sent electronically to accounts@usluk.com

Many Thanks,

Kind Regards,

Alison Longworth
Buyer (Manufacturing)
Universal Sealants (UK) Limited
Kingston House
3 Walton Road
Pattinson North
Washington
Tyne & Wear
NE38 8QA

W: www.usluk.com
E: alison.longworth@usluk.com
T: +44(0)191 416 1530
F: +44(0)191 402 1982


…Complete Solution for Bridge Deck Protection

USL BridgeCare, USL StructureCare, Nufins and Visul Systems are trading
divisions of Universal Sealants (UK) Limited.

Registered Office: Kingston House, 3 Walton Road, Pattinson North,
Washington, Tyne & Wear, NE38 8QA

Company Registration: 01494603
VAT Number: 353 8952 22

This email and any files transmitted with it are strictly confidential. It
is for the intended recipient only. If you have received this email in
error please notify the author by replying to this email. If you are not
the intended recipient, you must not disclose, copy, print or rely on this
email in any way. Any views expressed by an individual within email which
do not constitute or record professional advice relating to the business
of USL BridgeCare, USL StructureCare, Nufins and Visul Systems, do not
necessarily reflect the views of the company.

Important Notice

The information contained in this communication (including any
attachments) is confidential, may be attorney-client privileged, may
constitute inside information, and is intended only for the use of the
addressee. *Any Unauthorized use, disclosure or copying of this
information or any part thereof is strictly prohibited and may be
unlawful. If you have received this communication in error, please notify
us immediately by return e-mail and destroy this communication and all
copies thereof, including all attachments.
Attached is a malicious Word document 2600_001.DOC which actually comes in two different versions with low detection rates [1] [2] containing two slightly different macros [1] [2] which download a component from the following locations:

http://stroygp.ru/js/bin.exe
http://ibw-bautzen.de/js/bin.exe


This is saved as %TEMP%\dsHHH.exe and it has a detection rate of 13/57. Automated analysis tools [1] [2] [3] show the malware POSTing to:

37.139.47.105 (Pirix, Russia)
5.39.99.18 (OVH, France / Olga Borodynya, Russia)

The malware also drop a DLL with a MD5 of 6693f0093a2d6740149de5d6e950f6c6 (VT 6/57) which is the same Dridex DLL used in this campaign.


No comments: