Sponsored by..

Wednesday 8 April 2015

Malware spam: "TWO UNPAID INVOICES" / "Wayne Moore [wayne44118@orionplastics.net]"

This fake invoice spam is not from Orion Plastics but is instead a simple forgery with a malicious attachment.

From:    Wayne Moore [wayne44118@orionplastics.net]
Date:    8 April 2015 at 09:03
Subject:    TWO UNPAID INVOICES

4/3----- LAST WEEK I CALLED REGARDS TWO UNPAID INVOICES FROM JAN 2015
INVOICE # 029911  DATED 1/7/15 FOR $840.80
INVOICE # 030042  DATED 1/30/15 FOR $937.00

PLEASE ADVISE WHEN  YOU SENT CHECK AND TO WHAT ADDRESS

I HAVE ATTACHED THE NEW REMIT TO ADDRESS IN CASE YOU DON’T HAVE IT

REGARDS-WAYNE
In this case the email was malformed and the attachment REMITTANCE & WIRE TRANSFER ADDRESS.DOC wasn't downloadable (this may be a temporary problem). The document has a detection rate of just 1/56. Extracting the document revealed this malicious macro [pastebin] which downloads an additional component from:

http://fzsv.de/11/004.exe

There are usually other download locations in different variants of the document, but the downloaded executable will be the same. The executable is saved as %TEMP%\c48.exe. This malicious binary has a detection rate of 6/54. Automated analysis tools [1] [2] [3] shows it phoning home to the following IPs:

37.140.199.100 (Reg.Ru Hosting, Russia)
176.67.160.187 (UK2, UK)
81.148.134.130 (BT, UK)
46.228.193.201 (Aqua Networks Ltd, Germany)
83.136.80.46 (myLoc, Germany)

The Malwr report shows it attempting to connect to a couple a Akamai IPs that I suspect are NOT malicious and would cause collateral damage if blocked:

90.84.136.185
184.25.56.220

According to the same Malwr report it drops a Dridex DLL with a detection rate of 4/57.

Recommended blocklist:
37.140.199.100
176.67.160.187
81.148.134.130
46.228.193.201
83.136.80.46

MD5s:
3e3a09644170ad3184facb4cace14f8a
671c65cedc8642adf70ada3f74d5da19
14c2795bcc35c3180649494ec2bc7877

No comments: