Sponsored by..

Monday 1 June 2015

Malware spam: "simonharrington@talktalk.net" / "Subject: Emailing: slide1"

This malware spam arrived in my mailbox in a somewhat mangled state.
From:    Simon Harrington [simonharrington@talktalk.net]
Subject: Emailing: slide1
Date: Mon, 01 Jun 2015 19:42:14 +0700
  Instead of having an attachment, it has a Base 64 encoded section like this:

0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAACAAAAKgAAAAAA
AAAAEAAALAAAAAQAAAD+////AAAAACkAAAB+AAAA////////////////////////////////

As it is, this email is harmless because all the bad stuff needs decoding. Extracing that section and decoding it gives a file named slide1.doc which contains this malicious macro [pastebin].

This macro downloads a malicious component from:

http://irpanet.com/1/09.exe

Which has a VirusTotal detection rate of 7/56.  This Malwr report shows it communicating with the same IPs we saw earlier:

31.186.99.250 (Selectel Network, Russia)
107.170.1.205 (Digital Ocean, US)
146.185.128.226 (Digital Ocean, Netherlands)
144.76.238.214 (Hetzner, Germany)


It also drops the same Dridex DLL we saw earlier, now with a detection rate of 9/56.

Recommended blocklist:
31.186.99.250
107.170.1.205
146.185.128.226
144.76.238.214

MD5s:
0d02257ec18b92b3c1cf58b8cb6b3d37
cef5555f191735867c34868c346501ad

Incidentally, the email address is a genuine one belonging to a poor chap in Tunbridge Wells  (who has nothing to do with this). I bet his mailbox is completely packed with bouncebacks and responses from confused people..

No comments: