Sponsored by..

Thursday, 19 March 2015

Malware spam: "sales@marflow.co.uk" / "Your Sales Order"

This spam run pretends to come from Marflow Engineering but it doesn't, instead it is a simple forgery. Marflow are not sending out this email, nor have their systems been compromised in any way.

From:    sales@marflow.co.uk
Date:    19 March 2015 at 09:13
Subject:    Your Sales Order

Your order acknowledgment is attached.

Please check carefully and advise us of any issues.

Best regards

Marflow
Attached is a file 611866.xls which appears to come in at least three different versions. But due to an error in the way the spam has been created, the attachment is actually corrupt and (depending on your version of Excel) attempting to open it gives this error:


The file you are trying to open, '611866.xls', is in a different format than specified by the file extension. Verify that the file is not corrupted and is from a trusted source before opening the file. Do you want to open the file now?
Clicking OK loads up what looks like gobbledegook.


If you see this, then you have had a lucky escape because the attachment is in the wrong format and is Base 64 encoded. If you manually run a Base 64 decoder against it then you end up with a malicious XLS file, in one of three different flavours with low detection rates [1] [2] [3] which in turn each contain a slightly different malicious macro [1] [2] [3] which then attempt to download from the following locations:

http://www.lenhausen.de/js/bin.exe
http://meostore.net/js/bin.exe
http://mvw1919.de/js/bin.exe

This is saved in the %TEMP% folder under the filenames pirit86.exe, tikapom64.exe and Trekaldo51.exe (although the binary is the same in each case). This malicious binary has a detection rate of just 2/57 and according to the Malwr report, it phone home to the following IPs:

37.139.47.81 (Pirix, Russia)
5.100.249.215 (OMC Computers & Communications, Israel)
195.162.107.7 (Gamma Telecom, UK)
131.111.37.221 (University of Cambridge, UK)
198.245.70.182 (Deniz Toprak, Turkey / B2 Net Solutions, US)
210.205.74.43 (DAEMINCUSTOM, Korea)
46.228.193.201 (Aqua Networks Ltd, Germany)

It also drops another version of the downloader, edg1.exe which has a detection rate of 1/56 and a DLL with a detection rate of also of 1/57. The payload is the Dridex banking trojan.

Recommended blocklist:
37.139.47.0/24
5.100.249.215
195.162.107.7
131.111.37.221
198.245.70.182
210.205.74.43
46.228.193.201


6 comments:

Unknown said...

Hi,

Any chance you could post the MD5s for the droppers please?

Thank you so much for all your excellent work on Dridex :-)

Conrad Longmore said...

@Dickie, they're all in the Malwr report and if you have an account there you can download samples of all the EXEs and the DLL.

Unknown said...

Excellent - thank you!

Yvonne Tune said...

got hit with this, thanks for warning.

Unknown said...

Hey Conrad,

Thanks for posting. Along the same lines as Dickie, is there any chance you could include MD5s of the attachments in subsequent postings?

As you said, there were three flavours of this, so being able to differentiate which attachment did what would definitely speed up responses to infections.

Thanks again for all your postings.

Conrad Longmore said...

Yup, MD5s are a good idea. I will try to remember!