From [sales@ispitrade.com]Attached is a file Inv_26949_from_I__SPI_Ltd_7888.doc which actually comes in several different versions [1] [2] [3] [4] [5] [6] which contains a malicious macro like this one [pastebin] that downloads an executable from one of the following locations:
Date Tue, 25 Aug 2015 20:37:09 +0800
Subject Invoice 26949 from I - SPI Ltd
http://landrevie.g.free.fr/45gf3/7uf3ref.exe
http://e-projekt.ns1.internetdsl.pl/45gf3/7uf3ref.exe
http://nathalieetalain.free.fr/45gf3/7uf3ref.exe
http://claudio.locatelli.free.fr/45gf3/7uf3ref.exe
http://spitlame.free.fr/45gf3/7uf3ref.exe
http://nathalieetalain.free.fr/45gf3/7uf3ref.exe
This Hybrid Analysis report shows network traffic to:
91.239.232.9 (Hostpro Ltd, Ukraine)
This is the same bad IP as found in this earlier spam run, I recommend that you block it. The payload here is almost definitely the Dridex banking trojan.
1 comment:
Conrad, thanks very much for this update on your site, it has helped alleviate some of the customer care issues we have faced over the last few days, we have had over 17000 emails (thats just the bouncebacks) and 250 phone calls since this started.
Stephen Wales
Twisted Pixels on behalf of iSpi Trade
Post a Comment