Sponsored by..

Wednesday 15 April 2015

Malware spam: "Invoice from Living Water" / "Natalie [mailto:accounts@living-water.co.uk]"

This fake invoice does not come from Living Water, but instead is a simple forgery with a malicious attachment.
From: Natalie [mailto:accounts@living-water.co.uk]
Sent: Wednesday, April 15, 2015 9:43 AM
Subject: Invoice from Living Water

Dear Customer  :

Your invoice is attached.  Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Living Water
0203 139 9051
In the sample that I received, the attachment was named Inv_300846161_from_Living_W.doc which has a VirusTotal detection rate of 1/55. This contains a malicious macro [pastebin] which downloads a file from the following location:

http://adlitipcenaze.com/353/654.exe

There are probably other download locations, but they will all have the same payload. This is saved as %TEMP%\rizob1.0.exe and currecntly has a detection rate of 6/57. Automated analysis tools [1] [2] [3] show attempted connections to the following IPs:

89.28.83.228 (StarNet, Moldova)
78.24.218.186 (TheFirst-RU, Russia)
37.140.199.100 (Reg.Ru Hosting, Russia)

According to this Malwr report it drops a Dridex DLL with a detection rate of 4/57.

Recommended blocklist:
89.28.83.228
78.24.218.186
37.140.199.100

MD5s:
2ecf5e35d681521997e293513144fd80
9932c4a05ca0233f27b0f8404a8dc5bd
68e1e7251314944a4b4815adced70328

No comments: