Sponsored by..

Monday 16 February 2015

Malware spam: "T.A.G. (The Automotive Group) Ltd." / "Lawrence Fisher [l.fisher@taghire.co.uk]" / invoice

This fake invoice does not come from The Automotive Group Ltd or any similarly-named company. Their systems have not been compromised in any way. Instead, this is a forgery with a malicous attachment. Note that the taghire.co.uk simply shows "Under Construction".
From:    Lawrence Fisher [l.fisher@taghire.co.uk]
Date:    16 February 2015 at 08:25
Subject:    invoice

Here is the invoice

Kind Regards,

Lawrence Fisher
T.A.G. (The Automotive Group) Ltd.
Unit 22 Coney Green Business Centre Wingfield View, Clay Cross, Chesterfield

Tel: 020 3750 0638

Description: 150px Crop Background Remove Logo

This e-mail is confidential and may be privileged.  It may be read, copied and used only by the intended recipient. If you have received it in error, please contact the sender immediately by return e-mail or by telephoning 020 3750 0638
So far I have only seen one sample of this, with an attachment named Invoice 0215.doc which has zero detections according to VirusTotal. It contains an obfuscated Word macro which downloads an additional component from:


Usually there are two or three versions of this document, but I have only seen one. If  you look at the macro code itself, the download location is not encrypted in the code although other elements of the process are encrypted with a string + key combination. Those combinations contain non-printable characters, possibly in an attempt to avoid anaylsus,

This .exe file is downloaded as %TEMP%\345435.exe and it has a VirusTotal detection rate of 3/57.  Automated reporting tools [1] [2] [3] show that this POSTS to It appears that communication is attempted with the following IPs: (Pirix, Russia) (Webazilla, US) (Digital Networks, Russia) (One Telecom, Moldova) (BSNL / Broadband Multiplay, India) (McHost, Russia)

Also, according to the Malwr report, a DLL is dropped with a detection rate of 3/57.

Recommended blocklist:

No comments: