From: aileen.alberts@[redacted]The link in the email goes to a download location at dropbox.com which downloads a malicious Word document Automated_Clearing_House transaction9090.doc which contains this macro [pastebin].
Date: 16 April 2015 at 15:55
Subject: Decisive notification about your Automated Clearing House payment
The Automated Clearing House transaction transfer, recently initiated from your company"s online bank account, has been rejected by the EPA.
Automated Clearing House transfer Case # L669461617 Transaction Total 27504.02 US Dollars [redacted] Reason of Termination Download full details
Please visit the link provided at the top to see more information about this problem.
I haven't had the time to analyse it fully, but it is rather different from other offerings. From what I can tell, it downloads an encrypted file [pastebin] from:
sundsvallsrk.nu/tmp/1623782.txt or
hpg.se/tmp/1623782.txt
And some sort of executable from Dropbox with a detection rate of 3/57. Automated analysis tools are inconclusive at the moment [1] [2] although the Payload Security report does show several dropped files including two malicious scripts [pastebin].
Of note is that one of the scripts downloads what looks like a PNG from:
savepic.su/5540444.png
For now, I would recommend blocking traffic to
sundsvallsrk.nu
hpg.se
savepic.su
For researchers only, I have an archive of some of the files here, password is infected.
No comments:
Post a Comment