Sponsored by..

Thursday, 9 April 2015

Malware spam: "Matthews, Tina [tina@royalcarson.com]" / "Credit card transaction" / "Royal Wholesale Electric"

This fake financial spam does not come from Royal Wholesale Electric but it is instead a simple forgery with a malicious attachment.
From:    Matthews, Tina [tina@royalcarson.com]
Date:    9 April 2015 at 10:48
Subject:    Credit card transaction

Here is the credit card transaction that you requested.

Tina Matthews
Royal Wholesale Electric
2801 East 208th Street
Carson, CA 90810
310-637-6377 Phone
310-603-9883 Fax
tina@royalcarson.com
Running in parallel to this is another claiming to be from UK firm AquaAid which has been going on for a long time. In the first case the attachment is 20150326094147512.doc and in the second it is CAR015890001.doc, but they are the same malicious document.

The document is currently undetected by AV vendors and contains a malicious macro [pastebin] which downloads a binary from:

http://onemindgroup.com/366/114

This is saved as %TEMP%\ittext1.5.exe and has a VirusTotal detection rate of 3/49. Automated analysis tools [1] [2] [3] [4] show traffic to the following IPs:

91.230.60.219 (Docker Ltd, Russia)
66.110.179.66 (Microtech Tel, US)
176.108.1.17 (Cadr-TV LLE TVRC, Ukraine)
202.44.54.5 (World Internetwork Corporation, Thailand)
87.236.215.103 (OneGbits, Lithuania)
128.199.203.165 (DigitalOcean Cloud, Singapore)
128.135.197.30 (University Of Chicago, US)
185.35.77.160 (Corgi Tech Limited, UK)
46.101.38.178 (Digital Ocean, UK)
95.163.121.51 (Digital Networks CJSC aka DINETHOSTING, Russia)
92.41.107.253 (Hutchison 3G, UK)

According to the Malwr report  is also drops another variant of the downloader [VT 4/57] and a Dridex DLL [VT 4/57].

Recommended blocklist:
91.230.60.219
66.110.179.66
176.108.1.17
202.44.54.5
87.236.215.103
128.199.203.165
128.135.197.30
185.35.77.160
95.163.121.0/24

MD5s:
03ab12e578664290fa17a1a95abd71c4
48f39c245ec68bdbe6c0c93313bc8f74
90ebd79d1eac439c9c4ee1a056c9e879
62f33c7b850845cb66dcaa69e2af4443



No comments: