Sponsored by..

Wednesday 11 March 2015

Malware spam: Message from "RNP0026735991E2" / "inv.09.03"

This pair of spam emails are closely related and have a malicious attachment:

From:    admin.scanner@victimdomain
Date:    11 March 2015 at 08:49
Subject:    Message from "RNP0026735991E2"

This E-mail was sent from "RNP0026735991E2" (MP C305).

Scan Date: 11.03.2015 08:57:25 (+0100)
Queries to: admin.scanner@victimdomain

Attachment: 201503071457.xls
----------

From:    Jora Service [jora.service@yahoo.com]
Date:    11 March 2015 at 09:27
Subject:    inv.09.03

Attachment: INV 86-09.03.2015.xls

Neither XLS attachment is currently detected by AV vendors [1] [2] and they contain two related but slightly different macros [1] [2] which download a component from the following locations:

http://koschudu.homepage.t-online.de/js/bin.exe
http://03404eb.netsolhost.com/js/bin.exe

The file is then saved as %TEMP%\fJChjfgD675eDTU.exe  which has a VirusTotal detection rate of 3/57. According to this Malwr report, it attempts to connect to the following IPs:

188.225.77.216 (TimeWeb Co. Ltd, Russia)
42.117.1.88 (FPT Telecom Company, Vietnam)
31.41.45.211 (Relink Ltd, Russia)
87.236.215.103 (OneGbits, Lithuania)
104.232.32.119 (Net3, US)
188.120.243.159 (TheFirst.RU, Russia)

It also drops a couple more malicious binaries with the following MD5s:

8d3a1903358c5f3700ffde113b93dea6 [VT 2/56]
53ba28120a193e53fa09b057cc1cbfa2 [VT 4/57]

Recommended blocklist:
188.225.77.216
42.117.1.88
31.41.45.211
87.236.215.103
104.232.32.119
188.120.243.159

No comments: