Sponsored by..

Friday 13 March 2015

Malware spam: "Invoice (13\03\2015) for payment to COMPANY NAME"

There is a series of malware spams in progress in the following format:

Invoice (13\03\2015) for payment to JUPITER PRIMADONA GROWTH TRUST
Invoice (13\03\2015) for payment to CARD FACTORY PLC
Invoice (13\03\2015) for payment to CELTIC
Invoice (13\03\2015) for payment to MIRADA PLC

Note the use of the backslash in the date. There is an attachment in the format 1234XYZ.doc which I have seen three different variants of (although one of those was zero length), one of which was used in this spam run yesterday and one new one with zero detections which contains this malicious macro, which downloads another component from:

http://95.163.121.186/api/gbb1.exe

This is saved as %TEMP%\GHjkdfg.exe - incidentally, this server is wide open and is full of data and binaries relating to the Dridex campaign. Unsurprisingly, it is hosted on a Digital Networks CJSC aka DINETHOSTING IP address. This binary has a detection rate of 3/53 and the Malwr report shows it phoning home to 95.163.121.33 which is also in the same network neighbourhood.

The binary also drops a malicious Dridex DLL with a detection rate of 5/56. This is the same DLL as used in this spam run earlier today.

Recommended blocklist:
95.163.121.0/24

No comments: