Sponsored by..

Wednesday 25 March 2015

Malware spam: "James Dudley [James.Dudley@hitec.co.uk]" / "Payment 1142"

This spam email is yet another forgery pretending to be from a wholly legitimate company. It is one of a series of emails spoofing Cambridgeshire firms, and it comes with a malicious attachment.

From:    James Dudley [James.Dudley@hitec.co.uk]
Date:    25 March 2015 at 09:38
Subject:    Payment 1142

Payment sheet attached.


T    01353 624023
F    01353 624043

Hitec Ltd
23 Regal Drive

This message has been scanned for viruses and malicious content by Green Duck SpamLab 
I have only seen a single sample of this, with an attachment Payment 1142.doc which has a VirusTotal detection rate of 5/57. It contains this malicious macro [pastebin] which attempts to download a component from:


..which is then saved as %TEMP%\sollken1.2.8.exe, this has a detection rate of 12/57. Automated analysis of this binary is pending, but is so far inconclusive.

Incidentally, the macro contains this snippet:

' (File name: AddNewSheet.bas)
' Author: SENOO, Ken
' (Last update: 2015-03-10T18:38+09:00)

All that means is that this Ken Senoo created and freely licensed a Visual Basic module that the bad guys are using. It does not mean that they have anything at all to do with this malware attack.


UPDATE: this interesting new tool from Payload Security gives some insight as to what the malware does. In particular, it phones home to: (Steadfast Networks, US) (OneGbits, Lithuania) (Orange S.A., France) (Tata Indicom, India) (Digital Networks aka DINETHOSTING, Russia)

Recommended blocklist:

1 comment:

Fingers3 said...

I have received 2 of these spam e-mails from "James Dudley" sent at 10:24 and 11:25 today, 25 March, 2015.