Sponsored by..

Monday 29 June 2015

Malware spam: "Payslip for period end date 29/06/2015" / "noreply@fermanagh.gov.uk"

This fake financial spam comes with a malicious payload:

From:    noreply@fermanagh.gov.uk [noreply@fermanagh.gov.uk]
Date:    29 June 2015 at 11:46
Subject:    Payslip for period end date 29/06/2015

Dear [redacted]

Please find attached your payslip for period end 29/06/2015

Payroll Section

Attached is a file payslip.zip which contains the malicious executable payslip.exe which has a VirusTotal detection rate of 8/55. Automated analysis [1] [2] shows a file being downloaded from:


That binary has a detection rate of just 2/55 [Malwr analysis] Also, Hybrid Analysis [1] [2] shows the following IPs are contact for what looks to be malicious purposes: (Landis Holdings Inc, US) (Panhandle Telecommunications Systems Inc., US) (ENERGOTEL a.s./ Skylan s.r.o, Slovakia) (Visionary Communications Inc., US) (Chickasaw Telephone, US) (Secom Inc , US) (Servei De Telecomunicacions D'Andorra, Andorra) (ISP Slovanet (MNET) Brezno, Czech Republic) (Orion Telekom, Serbia) (AgaNet Agata Goleniewska, Poland) (SWAN, a.s. TRIO network, Slovakia) (PP Merezha, Ukraine) (Safelink Internet, US) (Chickasaw Telephone, US) (E-Light-Telecom, Russia) (Trk Efir Ltd., Ukraine) (Orion Telekom, Serbia) (FLP Pirozhok Elena Anatolevna, Ukraine) (Southwest Oklahoma Internet, US) (Subnet LLC, Russia) (TRIOLAN / Content Delivery Network Ltd, Ukraine) (PSINet, US) (DSi DATA s.r.o., Slovakia) (Private Enterprise Radionet, Ukraine) (Moldtelecom LIR, Moldova) (Visionary Communications Inc., US)

I am unable to determine exactly what the payload is on this occassion.

Recommended blocklist:


No comments: