Sponsored by..

Thursday 9 July 2015

Malware spam: "Your order No. 3269637 has been despatched" / "info@123print.co.uk"

This fake financial spam does not come from 123Print but is instead a simple forgery with a malicious attachment.

From     "info@123print" <[nfo@123print.co.uk]
Date     Thu, 09 Jul 2015 12:09:12 +0200
Subject     Your order No. 3269637 has been despatched

Dear customer

Your order 3269637 has been despatched.

Please see attachment for details.
Attached is a file 4077774.doc for which I have seen three variants [1] [2] [3] [Hybrid Analysis] which downloads a malicious executable from one of the following locations:

robindesdroits.com/43/82.exe
illustramusic.com/43/82.exe
prodasynth.com/43/82.exe

Those sites are hosted on 213.186.33.19 and 213.186.33.87 which are OVH parking IPs.

That executable has a detection rate of 8/54 and automated analysis tools [1] [2] [3] show traffic to 62.210.214.106 (OVH, France). The payload is the Dridex banking trojan.

Recommended blocklist:
62.210.214.106

MD5s:
17cfe88703b471940c22aa01a367a2a3
404b61075c9b5cb7b8ecf107b4b4ccb0
53d0ee49815c7f9740b80fdbb50f599d
0488144945839b1a8cdf5ab6f37c471d

No comments: