Sponsored by..

Tuesday, 31 March 2015

Malware spam: "Your PO: SP14619" / "Sam S. [sales@alicorp.com]"

This fake financial spam comes with a malicious attachment:

From:    Sam S. [sales@alicorp.com]
Date:    31 March 2015 at 07:45
Subject:    Your PO: SP14619

Your PO No: SP14619 for a total of $ 13,607.46
has been sent to New Era Contract Sales Inc. today.

A copy of the document is attached

Regards,
New Era Contract Sales Inc.'s Document Exchange Team
In the sample I have seen, the attachment is APIPO1.doc with a VirusTotal detection rate of 5/56, and it contains this malicious macro [pastebin] which downloads a component from:

http://xianshabuchang.com/54/78.exe

which is saved as %TEMP%\kkaddap7b.exe. This malicious executable has a detection rate of 3/56. Various analysis tools [1] [2] [3] show that it phones home to the following IPs:

91.230.60.219 (Docker Ltd / ArtVisio Ltd, Russia)
185.91.175.39 (Webstyle Group LLC / Rohoster / MnogoByte, Russia)
46.101.38.178 (Digital Ocean, Netherlands)
87.236.215.103 (OneGbits, Lithuania)
66.110.179.66 (Microtech Tel, US)
176.108.1.17 (Cadr-TV LLE TVRC, Ukraine)
202.44.54.5 (World Internetwork Corporation, Thailand)
128.199.203.165 (DigitalOcean Cloud, Singapore)

According to the Malwr report it drops another version of itself called edg1.exe [VT 2/56] and what appears to be a Dridex DLL [VT 3/56].

Recommended blocklist:
91.230.60.0/24
185.91.175.0/24
46.101.38.178
87.236.215.103
66.110.179.66
176.108.1.17
202.44.54.5
128.199.203.165

MD5s:
f5ecc500c2b74612e33c0522104fb999
716d1dc7285b017c2dbc146dbb2e319c
2cb0f18ba030c1ab0ed375e4ce9c0342
6218264a6677a37f7e98d8c8bd2c13e9

UPDATE:
A couple of reports from Payload Security [1] [2]  also give some insight into the malware, including an additional but well-known IP to block:

95.163.121.178 (Digital Networks CJSC aka DINETHOSTING, Russia)



No comments: