Sponsored by..

Wednesday, 5 August 2015

Malware spam: "Booking Confirmation - Accumentia (16/9/15)" / "David Nyaruwa [david.nyaruwa@soci.org]"

This fake financial spam is not from SCI or Accumentia, but is instead a simple forgery with a malicious attachment:

From     David Nyaruwa [david.nyaruwa@soci.org]
Date     Wed, 05 Aug 2015 13:38:23 +0300
Subject     Booking Confirmation - Accumentia (16/9/15)

Please find attached a proforma invoice for Accumentia's booking of the council room
on 16/09/15. The deposit to confirm the booking is 25% (ie £205.50) with the balance
due by the date of the meeting.

Regards,

David Nyaruwa
Project Accountant
SCI, 14-15 Belgrave Square, London, SW1X 8PS
T: +44 (0)20 7598 1536  E: mailto:david.nyaruwa@soci.org <mailto:patricia.cornell@soci.org>
W: www.soci.org
SCI - where science meets business

Phenotypic Approaches in Drug Discovery<https://www.soci.org/Events/Display-Event.aspx?EventCode=FCHEM441>,
18 March 2015, SCI, London, UK
Arrested Gels: Dynamics, Structure and Application,<https://www.soci.org/Events/Display-Event?EventCode=coll148>
23-25 March 2015, Gonville & Caius, Cambridge, UK
32nd Process Development Symposium<https://www.soci.org/Events/Display-Event.aspx?EventCode=FCHEM150>,
25-27 March 2015, Churchill College, Cambridge, UK
Reagentless Synthesis<https://www.soci.org/Events/Display-Event?EventCode=fchem440>,
1 April 2015, SCI, London, UK

For the full events listing and more information go to http://www.soci.org/Events
Note that I believe that "Accumentia" is a typo for "Acumentia" but has actually been copied from the SCI's own website verbatim.

Attached is a file named Accumentia Booking (16-9-15).doc which comes in at least two different versions [VirusTotal results 6/56 and 7/56] which contain a macro that looks like this [pastebin] and which according to Hybrid Analysis [1] [2] download malware from the following locations:

hunde-detektive.de/75yh4/8g4gffr.exe
naturallyconvenient.co.za/75yh4/8g4gffr.exe

This file has a detection rate of 4/55 and the Malwr report shows that it phones home to the familiar IP of:

194.58.111.157 (Reg.RU, Russia)

I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan.

MD5s:
1f259a88f61e45cc6f357f2fc8dacb9c
259e882d0ffafab3437390ec7203f54d
2a7b74cac1fde6c09a06065cb83ba640

No comments: