Sponsored by..

Thursday 26 February 2015

Malware spam: "Chris Christou [chris.christou@greysimmonds.co.uk]" / "Copy invoices"

This fake invoice spam comes with a malicious attachment:

From:    Chris Christou [chris.christou@greysimmonds.co.uk]
Date:    26 February 2015 at 10:45
Subject:    Copy invoices

Hello ,

Please find copy invoices attached as per our telephone conversation.

Kind regards,

Chris

Chris Christou
Credit Control
Grey Simmonds
Cranes Point
Gardiners Lane South
Basildon
Essex SS14 3AP
Tel:  0845 130 9070
Fax: 0845 370 9071
Email:  chris.christou@greysimmonds.co.uk
Web: www.greysimmonds.com

P  “Think before you Print” - Please consider the environment before printing this e-mail

It does NOT come from Grey Simmons, nor have their systems been compromised in any way. Instead, this is a simple forgery.

I have only seen one sample so far, with an attachment IGM135809.doc [detection rate 0/57] which contains this malicious macro [pastebin] which downloads a further component from:

http://xomma.net/js/bin.exe

This is saved as %TEMP%\GVhjJJVJH.exe and has a VirusTotal detection rate of 4/56. Automated analysis tools [1] [2] show it attempting to phone home to the following IPs:

92.63.87.13 (MWTV, Latvia)
78.140.164.160 (Webazilla, US)
86.104.134.156 (One Telecom, Moldova)
104.232.32.119 (Net 3, US)

This Malwr report shows dropped files with an MD5 of 590fc032ac747d970eb8818671f2bbd3 [VT 3/57] and 1997b0031ad702c8347267db0ae65539 [VT 4/57].

Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
78.140.164.160
86.104.134.156
104.232.32.119

No comments: