Date: 23 June 2015 at 14:14Some of the details vary in each email, but the overall format is the same. So far I have seen two different mis-named attachments:
Subject: Hope this e-mail finds You well
Good day!
Hope this e-mail finds You well.
Please be informed that we received the documents regarding the agreement No. 7232-003 dated from 3rd day of June.
However there are some forms missing.
We made the list of missing documents for Your ease (the list is attached below).
Please kindly check whether these forms are kept in your records.
In case you have any questions here are our contact details: 838-72-99. Feel free to give a call at any time.
Stacey Grimly,
Project Manager
check.zip size=57747.zipsize=57747
check.zip size=57717.zipsize=57717
The file sizes actually match the one listed in the file's name. Because the attachment is not properly named, some ZIP file handlers may fail to deal with them. Equally, the technique may be designed to get the spam past mail filters.
Each archive contains a file info_bank_pdf.exe with different checksums and a detection rate of 3/52 or 3/54. Automated analysis tools [1] [2] [3] indicate traffic to the following locations:
93.93.194.202 (Orion Telekom, Serbia)
173.216.240.56 (Suddenlink Communications, US)
188.255.169.176 (Orion Telekom, Serbia)
68.190.246.142 (Charter Communications, US)
These two Malwr reports [1] [2] show dropped files named yaxkodila.exe (two versions, VT 5/54 and 5/55) plus a file jieduk.exe (VT 8/54). Incidentally, the VirusTotal analysis also throws up another IP address of:
104.174.123.66 (Time Warner Cable, US)
The malware is a common combination of the Upatre downloader and Dyre banking trojan, targeting Windows systems.
Recommended blocklist:
93.93.194.202
173.216.240.56
188.255.169.176
68.190.246.142
104.174.123.66
MD5s:
67f05372a34534c5892defb29ba8ead7
267e23f6430999f4b71a074835f19fb2
cebf89f088458f3e89599ae44d03cddf
cfdcb1cbe8983707287be4a03cdb88b4
880ba84222524510c9fe3b3d80429816
No comments:
Post a Comment