Sponsored by..

Monday 8 June 2015

Malware spam: "Bank payment" / "sarah@hairandhealth.co.uk"

This fake financial spam does not come from SBP Hair and Health but is a simple forgery with a malicious attachment.
From: sarah@hairandhealth.co.uk [mailto:sarah@hairandhealth.co.uk]
Sent: Monday, June 08, 2015 10:10 AM
Subject: Bank payment

Dear customer

Please find attached a bank payment for £3083.10 dated 10th June 2015 to pay invoice 1757.  With thanks.

Kind regards

Sarah
Accounts
Attached is a file Bank payment 100615.pdf [VT 2/57] which appears to drop a Word document with a malicious macro. Although there are probably several versions of this attachment, according to the Hybrid Analysis report it downloads a component from:

192.186.217.68/~banobatwo/15/10.exe

This is saved as %TEMP%\biksampc.exe and has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] [3] indicate network traffic to the following IPs:

146.185.128.226 (Digital Ocean, Netherlands)
31.186.99.250 (Selectel, Russia)
176.99.6.10 (Global Telecommunications Ltd, Russia)
203.151.94.120 (Internet Thailand Company Limited, Thailand)
185.12.95.40 (RuWeb, Russia)

The Malwr report indicates that it drops a Dridex DLL with a detection rate of 4/57.

Recommended blocklist:
146.185.128.226
31.186.99.250
176.99.6.10
203.151.94.120
185.12.95.40

MD5s:
48d496afc9c2c123e1ab0c72822a7975
6cbd6126b5761efffbe10dafaa7a4bde
2e499cacb5b3a396a3b2a08bd0f4ce1e

No comments: