Sponsored by..

Friday, 17 April 2015

Malware spam: "Julie Mckenzie [julie0526@swift-cut.co.uk]" / "Credit Card Statement"

This spam does not come from Swift Cut, but is instead a simple forgery with a malicious attachment:

From:    Julie Mckenzie [julie0526@swift-cut.co.uk]
Date:    17 April 2015 at 12:24
Subject:    Credit Card Statement

Hi
Attached your credit card statement.
Can you return with receipts by Friday 17th April.
Thanks
Julie
 
Julie McKenzie
Sales Administrator
Tel +44 (0)1543 473300
E-mail julie@swift-cut.co.uk
Attached is a file C Swift Credit Card.doc which comes in at least four different versions, all of which are malicious and all of which have a macro similar to this one [pastebin].

These macros download a file from one of the following locations:

http://oolagives.com/24/733.exe
http://derekthedp.com/24/733.exe
http://sempersleep.com/24/733.exe

This is saved as %TEMP%\grant8i.exe and has a VirusTotal detection rate of 11/54 (identified clearly as a Dridex component). Automated analysis [1] [2] [3] [4] shows that it attempts to communicate with:

46.36.219.32 (FastVPS, Estonia)


I recommend that you block traffic to that IP address. Furthermore, the Malwr report shows it dropping a malicious DLL with a detection rate of 6/53.

MD5s:
6c784bec892ce3ef849b1f34667dccac
ec35660657404295a78d8d1bcb1f1071
89b87b7c5c38039a4a46060f00a1ec37
40862ce3abb02d69ec31b8a1b62fef95
59fe482009fecc8761809a9c974a143e
f840f9075a178ab579ed2e4c622bc291


No comments: