Sponsored by..

Tuesday 17 February 2015

Malware spam: "AR.Support@efi.com" / "Customer statement 0001031389 as on 02/05/2015"

This fake financial document has a malicious attachment:

From:    AR.Support@efi.com
To:    minutemanpresschicago@comcast.net
Date:    17 February 2015 at 10:22
Subject:    Customer statement 0001031389 as on 02/05/2015

Dear EFI Customer,


Please find attached your statement for this month. If you need invoice
copies or have any questions you can reply to this e mail and we will
contact you at the earliest.


Regards,
AR Support
AR.Support@efi.com


** Attention AP Department ** Effective April 25th our new remittance address will change to
the following. Please update your records. Thank you.

PO Box 742366
Los Angeles, CA. 90074-2366

Confidentiality notice: This message may contain confidential information. It is intended only for the person to whom it is addressed. If you are not that person, you should not use this message. We request that you notify us by replying to this message, and then delete all copies including any contained in your reply. Thank you.
Attached is a Word document Customer statement 0001031389 as on 02052015.DOC which comes in two different types with zero detection rates [1] [2] containing two highly obfuscated modular macros [1] [2]  that actually just perform a ROT13 transformation on a couple of strings.

uggc://zjpbq4.pon.cy/wf/ova.rkr
uggc://nyhpneqban.pbz/wf/ova.rkr

Which decodes to:

http://mwcod4.cba.pl/js/bin.exe
http://alucardona.com/js/bin.exe

This has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] [3] shows the malware attempting to connect to:

202.44.54.5 (World Internetwork Corporation, Thailand)
66.110.179.66 (Microtech Tel, US)
92.63.88.105 (MWTV, Latvia)

According to the Malwr report this drops a DLL with a detection rate of 2/57 which is probably Dridex.

Recommended blocklist:
202.44.54.5
66.110.179.66
92.63.88.105

No comments: