From: Colin Fox [colin@nofss.co.uk]The attachment is Sales Invoice 519658.pdf [VT 2/57] This spam drops the Dridex banking trojan, but unlike other recent runs the attachment is a PDF file rather than an Office document. In fact, the PDF file contains a script that generates and drops a Word document named 6.doc [Malwr report, Payload Security report] [VT 4/55] which in turn contains a malicious macro that looks like this [pastebin].
Date: 24 April 2015 at 09:40
Subject: Invoice 519658
Please find Invoice 519658 attached
There may be different versions of the macro, but in this case it downloads a component from:
http://bepminhchi.com/83/61.exe
..which is saved as %TEMP%\pierre6.exe. This binary has a detection rate of 4/57 and automated analysis tools [1] [2] [3] show an attempted network connection to:
185.12.95.191 (RuWeb CJSC, Russia)
149.154.64.70 (TheFirst-RU, Russia)
78.24.218.186 (TheFirst-RU, Russia)
89.28.83.228 (StarNet SRL, Moldova)
In addition, the Malwr report says that it drops a Dridex DLL with a detection rate of 4/57.
Recommended blocklist:
185.12.95.191
149.154.64.70
78.24.218.186
89.28.83.228
Sample MD5s:
da26ed1b6fe69d15a400b3bc70001918
b37ea697df790121e4dda35d8ba172c3
0ea69ef635257be03043a3f70f013475
29471c1aabae10d205f474a3299486ec
2 comments:
hello,
I opened the attachment in my mac but nothing out of the ordinary seems to be happening. Is this trojan just for PC?
thanks,
Mloza,
yeah , Mac won't be affected since looking over the pastebin for the exploit it uses windows .DLL files and exploits.
MAC won't be affected by this though it would be best practice to look before opening.
Post a Comment