From: James Dudley [James.Dudley@hitec.co.uk]I have only seen a single sample of this, with an attachment Payment 1142.doc which has a VirusTotal detection rate of 5/57. It contains this malicious macro [pastebin] which attempts to download a component from:
Date: 25 March 2015 at 09:38
Subject: Payment 1142
Payment sheet attached.
James
T 01353 624023
F 01353 624043
Hitec Ltd
23 Regal Drive
Soham
Ely
Cambs
CB7 5BE
This message has been scanned for viruses and malicious content by Green Duck SpamLab
http://madasi.homepage.t-online.de/dbcfg/32.exe
..which is then saved as %TEMP%\sollken1.2.8.exe, this has a detection rate of 12/57. Automated analysis of this binary is pending, but is so far inconclusive.
Incidentally, the macro contains this snippet:
' (File name: AddNewSheet.bas)
' Author: SENOO, Ken
' LICENSE: CC0
' (Last update: 2015-03-10T18:38+09:00)
All that means is that this Ken Senoo created and freely licensed a Visual Basic module that the bad guys are using. It does not mean that they have anything at all to do with this malware attack.
MD5s:
8f79a24970d9e7063ffcedc9a8d23429
02cfa3e6fdb4301528e5152de76b2abf
UPDATE: this interesting new tool from Payload Security gives some insight as to what the malware does. In particular, it phones home to:
50.31.1.21 (Steadfast Networks, US)
87.236.215.103 (OneGbits, Lithuania)
2.6.14.246 (Orange S.A., France)
14.96.207.127 (Tata Indicom, India)
95.163.121.178 (Digital Networks aka DINETHOSTING, Russia)
Recommended blocklist:
50.31.1.21
87.236.215.103
2.6.14.246
14.96.207.127
95.163.121.0/24
1 comment:
I have received 2 of these spam e-mails from "James Dudley" sent at 10:24 and 11:25 today, 25 March, 2015.
Post a Comment