From "Marie Atkins" [Marie.Atkins@morgan-motor.co.uk]Other senders spotted are Effie.Henry@morgan-motor.co.uk and Carmine.Randolph@morgan-motor.co.uk although there are probably others. Attached is a ZIP file named invoice-ITK709415.zip [VT 13/54] which contains a malicious executable invoice-ITK709415.scr, this has a VirusTotal detection rate of 3/55.
Date Fri, 10 Jul 2015 12:50:54 +0200
Subject Invoice reminder
Please note that so far we had not received the outstanding amounts in accordance
with the invoice enclosed below.
Unfortunately, we cannot wait another week for amounts to be settled. Kindly ask
You to arrange the payment in the nearest future (2 days).
In case the funds are not received in two days we reserve the right to use legal
approaches in order to resolve this issue.
We hope You will duly react to this notification and save good business relationships
with us.
The Malwr report shows that this is the Upatre downloader, which always leads to the Dyre banking trojan. The characteristic callback pattern can be seen in the network traffic:
http://38.65.142.12:12569/RT77/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http://38.65.142.12:12569/RT77/HOME/41/5/1/ELHBEDIBEHGBEHK
We've seen that IP before. Another characteristic bit of traffic (but not malicious) is a HTTP request to icanhazip.com. Although this is a legitimate service to determine the IP address of the client, it is also a pretty good indicate of Upatre/Dyre infection and is worth looking out for on your network.
The downloader seems to drop a modified version of itself, in this case called aloyzan.exe and also having a 3/55 detection rate. In additional, a file named whicalous.exe [VT 1/55] is dropped.
Recommended blocklist:
38.65.142.12
MD5s:
ef068f3b4e1927de34273d98c88d3abc
cd90c812c9e8a1168ecd89fb8f64ea05
99960df0cddf89e2e8eac54f371da63b
1f8e40aa49e9c3e633e450e85a888ba2
No comments:
Post a Comment