Sponsored by..

Friday 10 July 2015

Malware spam: "Invoice reminder" / "morgan-motor.co.uk"

Nope, you haven't ordered an esoteric British sports car. This malware spam is not from the Morgan Motor Company, but is instead a simple forgery with a malicious attachment.

From     "Marie Atkins" [Marie.Atkins@morgan-motor.co.uk]
Date     Fri, 10 Jul 2015 12:50:54 +0200
Subject     Invoice reminder

Please note that so far we had not received the outstanding amounts in accordance
with the invoice enclosed below.
Unfortunately, we cannot wait another week for amounts to be settled. Kindly ask
You to arrange the payment in the nearest future (2 days).
In case the funds are not received in two days we reserve the right to use legal
approaches in order to resolve this issue.
We hope You will duly react to this notification and save good business relationships
with us.
Other senders spotted are Effie.Henry@morgan-motor.co.uk and Carmine.Randolph@morgan-motor.co.uk although there are probably others. Attached is a ZIP file named invoice-ITK709415.zip [VT 13/54] which contains a malicious executable invoice-ITK709415.scr, this has a VirusTotal detection rate of 3/55.

The Malwr report shows that this is the Upatre downloader, which always leads to the Dyre banking trojan. The characteristic callback pattern can be seen in the network traffic:

We've seen that IP before. Another characteristic bit of traffic (but not malicious) is a HTTP request to icanhazip.com. Although this is a legitimate service to determine the IP address of the client, it is also a pretty good indicate of Upatre/Dyre infection and is worth looking out for on your network.

The downloader seems to drop a modified version of itself, in this case called aloyzan.exe and also having a 3/55 detection rate. In additional, a file named whicalous.exe [VT 1/55] is dropped.

Recommended blocklist:


No comments: