Sponsored by..

Monday 29 June 2015

Malware spam: "CEF Documents" / "Dawn.Sandel@cef.co.uk" / "Dawn Sandel"

This fake financial spam does not come from City Electrical Factors but is instead a simple forgery with a malicious attachment.

From: "Dawn.Sandel@cef.co.uk" [Dawn.Sandel@cef.co.uk]
Subject: CEF Documents
Date: Mon, 29 Jun 2015 13:48:27 +0300


Please find attached the following documents issued by City Electrical Factors:

Invoice - BLA/176035 - DUCHMAID

If you have any problems or questions about these documents then please do not hesitate to contact us.

Regards,
Dawn Sandel
Phone: 01282 698 112
Fax: 01282 696 818


Dawn Sandel
Group Office
Nelson & Northwest Region

City Electrical Factors Limited
Tel: 01282 698 112  Fax: 01282 696 818
11 Kenyon Road, Lomeshaye Industrial Estate, Nelson, BB9 5SPv

The attachment is BLA176035.doc which contains a malicious macro. So far I have seen two different versions (Analysed here by Payload Security's Hybrid Analysis [1] [2]) which download a binary from one of the following locations:

dev.seasonsbounty.com/543/786.exe
cbebay.com/543/786.exe


This executable has a detection rate of 11/55. Those analyses show the samples phoning home to the following IPs:

78.47.139.58 (Hetzner, Germany)
87.236.215.151 (OneGbits, Lithuania)
91.121.173.193 (OVH, France)
183.81.166.5 (IP ServerOne, Malaysia)

The payload is probably Dridex, but I was not able to get a copy of the DLL.

Recommended blocklist:
78.47.139.58
87.236.215.151
91.121.173.193
183.81.166.5

MD5s:
65520ecd513c8b8b75f601aa2e69aeef
6bb2b8dc2129ad62ba459797c8544ff3
1396d0cb86bd400f7e364d583958ac33

No comments: