Sponsored by..

Tuesday 7 April 2015

Malware spam: "Order Confirmation Order BNTO056063 06/04/2015" / "Sales-BNThermic [Sales@bnthermic.co.uk]"

This fake financial spam does not come from BN Thermic but is instead a simple forgery with a malicious attachment:

From:    Sales-BNThermic [Sales@bnthermic.co.uk]
Date:    7 April 2015 at 09:48
Subject:    Order Confirmation Order BNTO056063 06/04/2015

Thank you for your order, please find attached confirmation.

Best Regards


BN Thermic

In all cases, the attached file is called BNTO056063.DOC, but there are actually at least four different variants with one of four malicious macros [1] [2] [3] [4] which then download a component from one of the following locations:

http://heubett.de/220/68.exe
http://fzsv.de/220/68.exe
http://deosiibude.de/deosiibude.de/220/68.exe
http://bewakom.de/220/68.exe


This file is then saved as %TEMP%\wabat1.1a.exe. This executable is the same one as used in this attack and the payload is the Dridex banking trojan.

No comments: