Sponsored by..

Thursday, 23 July 2015

Malware spam: "Order Form for Job Number 2968347" / "steve.champion@printing.com"

This fake financial spam does not comes from printing.com but is instead a simple forgery with a malicious attachment.

From     "steve.champion@printing.com" [steve.champion@printing.com]
Date     Thu, 23 Jul 2015 18:23:44 +0700
Subject     Order Form for Job Number 2968347

Hello ,

Thanks for your order, job reference 2968347. Please open the attached order form,
read it and check it.

To Accept your order:
- Visit http://www.printing.com/uk/
- Sign in (see below if you don't have a username or you've forgotten your password);
- In the "My Orders" section, click on job 2968347;
- Click the "Accept" button at the bottom of the screen;

If you have any queries about the order please call me before you accept it.

Thanks again for your order!

Kind Regards,

Steve Champion

printing.com Middlesbrough
Cargo Fleet Offices
Middlesbrough Rd
Middlesbrough
TS6 6XH
Tel: 01642 205649
Fax:
Email: steve.champion@printing.com

Franchises are independently owned and operated under licence. Dan James Limited.
Registered in England No. 5164910 Registered Address: Rede House, 69-71 Corporation
Road, Middlesbrough, TS1 1LY VAT Registration No.: GB 847 8229 85

Attached is a file OrderForm2968347.docm which I have seen in three different versions (there are maybe more) with various detection rates [1] [2] [3]. They contain a malicious macro like this one [pastebin].

The macro downloads a malicious binary from one of the following locations:

solution-acouphene.fr/mini/mppy.exe
surflinkmobile.fr/mini/mppy.exe
verger-etoile.fr/mini/mppy.exe


All of these are on the same compromised OVH France server of 94.23.1.145. The binary has a detection rate of just 2/54 and it is saved as %TEMP%\ihhadnic.exe. Automated analysis [1] [2] [3] shows attempted network traffic to:

85.25.199.246 (PlusServer AG, Germany)
194.58.96.45 (Reg.Ru, Russia)
31.131.251.33 (Selectel, Russia)


The payload appears to be the Dridex banking trojan.

Recommended blocklist:
85.25.199.246
194.58.96.45
31.131.251.33
94.23.1.145

MD5s:
74fca464697b5816acfe9140ee387ecd
fd8291e5147abef45654f3da6d5cfc28
a32eb507c674d82c6161bb606f594782
a3e64d3f4fa2168315428e573746caf4

No comments: