From: della.richards2124@nwn.co.uk [della.richards@nwn.co.uk]Attached is a file NWN Confirmation Letter.doc which I have so far seen in two different versions, both with low detection rates [1] [2] which contain slightly different malicious macros [1] [2] which then go and download a malicious binary from one of the following locations:
Date: 18 March 2015 at 08:34
Subject: Confirmation of Booking
This booking confirmation forms a binding contract between yourselves and NWN Media Ltd.
If you do not agree with any of the details above then please contact the named sales representative on the above number immediately.
Yours sincerely,
Della
NWN Media Ltd
http://pmmarkt.de/js/bin.exe
http://deosiibude.de/deosiibude.de/js/bin.exe
These are saved as %TEMP%\zakilom86.exe and %TEMP%\Pikadlo64.exe respectively. The binaries are actually identical and have a VirusTotal detection rate of 5/57. According to the Malwr report this binary attempts to communicate with the following IPs:
31.41.45.211 (Relink Ltd, Russaia)
109.234.159.250 (Selectel Ltd, Russia)
37.59.50.19 (OVH, France)
62.76.179.44 (Clodo-Cloud / IT House, Russia)
95.163.121.200 (Digital Networks CSJC aka DINETHOSTING / Russia)
It then drops what appears to be another version of itself called edg1.exe onto the target system [VT 2/55] along with a malicious Dridex DLL [VT 3/55]
Recommended blocklist:
31.41.45.211
109.234.159.250
37.59.50.19
62.76.179.44
95.163.121.0/24
No comments:
Post a Comment