Sponsored by..

Friday 26 June 2015

Malware spam: "Order Confirmation RET-385236 250615" / "donotreply@royal-canin.fr"

This fake financial spam comes with a malicious payload:

From: [1NAV PROD RCS] [mailto:donotreply@royal-canin.fr]
Subject: Order Confirmation RET-385236 250615

Please find attached your Sales Order Confirmation

Note: This e-mail was sent from a notification only e-mail address that
cannot accept incoming e-mail. PLEASE DO NOT REPLY TO THIS MESSAGE.

In the sample I have seen, the attachment is called Order Confirmation RET-385236 250615.doc which contains this malicious macro [pastebin] which downloads a component from the following location:

http://colchester-institute.com/708/346.exe

Usually there are several different version of the macro, each one loading an identical binary but from different locations. This file is saved as %TEMP%\biksenpd.exe and has a VirusTotal detection rate of 7/55.

According to various automated analysis tools, the sample doesn't seem to run properly [1] [2] [3] [4] but it looks like it tries to send traffic to the following IPs:

68.169.49.213 (Strategic Systems Consulting, US)
87.236.215.151 (OneGbits, Lithuania)
2.185.181.155 (ASDL Subscriber, Iran)


Recommended blocklist:
68.169.49.213
87.236.215.151
2.185.181.155

No comments: