Sponsored by..

Thursday 16 July 2015

Malware spam: "Excelent job !" / "Good achievement !"

These spam emails appear to have randomly-generated text, which would account for the strange language.. and they come with a malicious attachment:

Date:    16 July 2015 at 12:53
Subject:    Excelent job !

Congratulations ! You will obtain a 25% commission for the latest sale. Please overlook the next papers to know the whole sum you've gained.
Daily you prove that you are the main force of our branch in the sales. I am elate and beholden to have such a gifted and able employee. Proceed the good achievements.
All the best.
Michelle Curtis Company management

---------------------

Date:    16 July 2015 at 11:53
Subject:    Good achievement !

Congratulations ! You will win a 40% rake-off for the latest sale. Please see the these documents to find out the entire sum you've won.
Everyday you assure that you are the head power of our group in the sales. I am sublime and beholden to get such a talented and skillful workman. Continue the good achievements.
With the best regards.
Sharon Silva Company management 
Attached is a malicious Word document which in the two samples I saw was called
total_sum_from_last_sale.doc
total_sum_from_latest_disposition.doc


Both these documents were identical apart from the filename, and have a VirusTotal detection rate of 4/55. Inside the document is this malicious macro [pastebin], which (according to Hybrid Analysis) downloads several components (scripts and batch files) from:

thereis.staging.nodeproduction.com/wp-content/uploads/78672738612836.txt
www.buildingwalls.co.za/wp-content/themes/corporate-10/78672738612836.txt
www.buildingwalls.co.za/wp-content/themes/corporate-10/papa.txt


These are executed, then a malicious executable is downloaded from:

midwestlabradoodles.com/wp-content/themes/twentyeleven/qwop.exe

This has a VirusTotal detection rate of 8/55 and that report plus other automated analysis tools [1] [2]  phones home to the following malicious URLs:

93.185.4.90:12317/LE2/<MACHINE_NAME>/0/51-SP3/0/MEBEFEBFEBEFJ
93.185.4.90:12319/LE2/<MACHINE_NAME>/41/7/4/


That IP belongs to C2NET in the Czech Republic. It also send non-malicious traffic to icanhazip.com (a legitimate site that returns the IP address) which is a good indicator of compromise.

This malware drops the Dyre banking trojan.

Recommended blocklist:
93.185.4.90
thereis.staging.nodeproduction.com
www.buildingwalls.co.za
midwestlabradoodles.com

MD5s:
0582ed37ebb92da47fc2782e3228a4c5
ea0daafe232c6ffb8f783bb1f317fbf2

No comments: