Sponsored by..

Tuesday 3 February 2015

Malware spam: "Circor [_CIG-EDI@circor.com]" / "CIT Inv# 15000375 for PO# SP14161"

This fake finance spam pretends to be from the wholly legitimate firm Circor, but it is not. Instead, it is a forgery with a malicious Word document attached.

From:    Circor [_CIG-EDI@circor.com]
Date:    3 February 2015 at 09:56
Subject:    CIT Inv# 15000375 for PO# SP14161

Please do not respond to this email address.  For questions/inquires, please
contact our Accounts Receivable Department.

This email has been scanned by the MessageLabs outbound
Email Security System for CIRCOR International Inc.
For more information please visit http://www.symanteccloud.com
Don't be fooled by the email signature, the attachment is definitely nasty. So far I have only seen one version with a detection rate of 4/55, which contains a malicious macro [pastebin] that downloads a component from:


..which is then saved as %TEMP%\\dsfsdf.exe. This has a VirusTotal detection rate of 3/48 (it is identified as a Dridex component). According to the Malwr report, this phones home to a couple of IPs that I haven't seen before: (Universidade De Sao Paulo, Brazil) (MWTV SIA, Latvia)

It also drops a DLL with a detection rate of 3/56.

Recommended blocklist:


Wildcat said...

Just received this to a my company E-mail 11/02/2015 I DID not open attachement Just deleted AVG Didn't pick up the malware. Word Doc Name FOPRT01.DOC.

Dave W said...

Just had this at a works email address also; same details as 'Wildcat'