Sponsored by..

Friday, 17 July 2015

Malware spam: "You've earned it" / "You've deserved it" etc

This is another randomly-generated round of malware spam, following on from this one.

Date:    17 July 2015 at 16:04
Subject:    You've earned it

You have done a great business for our company. Even when someone else lost their heart , you managed with those nuisances and pushed it through.
The luck completely goes to you. We pay attention how you toiled to make it great , and you deserve more except superior's thanks or compliments.
You have got big capability and capacity , and I'm personally sure that you'll renew that luck over and over again. We appreciate that we have you on our group.
Our head management couldn't find better words and would like to give you a exclusive bounty only for you. Please view this applied gift

Date:    17 July 2015 at 17:06
Subject:    You've earned this

You did a great work for our group. Even when everyone else lost their heart , you met with those inconveniences and struggle it.
This success certainly appertains to you. We note how you toiled to do it perfect , and you earn more except our acknowledgements or congratulations.
You have great genius and productivity , and I'm individually sure that you'll repeat the same winning over and over again. All of us appreciate that we have you on our group.
Company's head office can't find better words and want to give you a deluxe bonus just for you. Please accept the enclosed present

Date:    17 July 2015 at 17:08
Subject:    You've earned this

You did a good thing for our company. Even when everyone else lost their heart , you met with those obstacles and exert yourself to the utmost extent.
This success undoubtedly belongs to you. We note how hard you worked to do it super , and you deserve more except superior's acknowledgements or congratulations.
You have big talent and potential , and I'm individually confident that you'll repeat the same triumph over and over again. All of us appreciate that we are with you in company's group.
Our head management can't find better words and would like to make a exclusive bonus only for you. Please accept the enclosed bonus

Date:    17 July 2015 at 17:02
Subject:    You've deserved it

You did a excellent work for our group. Even when someone else lost their hope , you managed with those discommodes and pushed it through.
The victory certainly goes to you. We know how you toiled to make it good , and you must get more than management's thanks or compliments.
You have got tremendous capability and performance , and I'm individually assured that you'll redo this triumph over and over again. All of us appreciate that we got you on department's group.
Company's general department couldn't find better words and want to give you a deluxe donation just for you. Please take this enclosed  bounty 
In the samples I have seen, the attachment is called bounty.doc, Giftinfo.doc, bonus.doc,
or bonusinfo.doc [VT detection rate 6/55], but the content is the same. If a potential victim opens it, the document looks like this:


If the user follows these steps, this malicious macro [pastebin] will run, infecting their machine. The Hybrid Analysis report shows the macro downloading various components from:

www.buck.tv/cms/wp-content/uploads/78672738612836.txt
www.bereciartua.com/wp-content/themes/bereciartua/78672738612836.txt
www.bereciartua.com/wp-content/themes/bereciartua/papa.txt


All of these files are actually scripts, and they appear to download a malicious executable from:

195.154.93.8/123a.exe

This has a VirusTotal detection rate of 4/55, and that same VirusTotal report shows it phoning home to:

93.185.4.90:12328/ETU2/<MACHINE_NAME>/0/51-SP3/0/MEBEFEBLGBEID
93.185.4.90:12328/ETU2/<MACHINE_NAME>/41/5/4/MEBEFEBLGBEID


We've seen the 93.185.4.90 a few times recently, and it is absolutely worth blocking and/or monitoring traffic to this IP.

No comments: