From: Hilda BucknerIn that case, the attachment is victimname_JM_1646.doc (other messages have differently-named attachments, but all with the victim's name in them) which in this case contains this malicious macro [pastebin].
Date: 4 August 2015 at 13:29
Subject: Need your attention: OO-6212/863282
Greetings
Hope you are well
Please find attached the statement that matches back to your invoices.
Can you please sign and return.
What that macro does (other ones may be slightly different) is download a VBS script from pastebin.com/download.php?i=0rYd5TK3 [link here, safe to click] which is then saved as %TEMP%\nnjBHccs.vbs.
That VBS then downloads a file from 5.196.241.204/bt/bt/ched.php which is then saved as %TEMP%\JHVHsd.exe which currently has a detection rate of zero (MD5 = 00dca835bb93708797a053a3b540db16).
The Malwr report indicates that this phones home to 80.247.233.18 (NFrance Conseil, France). The payload is probably the Dridex banking trojan.
Note that the malware also sends apparantly non-malicious traffic to itmages.ru , for example:
itmages.ru/image/view/2815551/2b6f1599
itmages.ru/image/view/2815537/2b6f1599
Therefore I would suggest that monitoring for traffic to itmages.ru is a fairly good indicator of compromise.


 
 
2 comments:
It is ransomware not Dridex this time and the most evil thing about it, is it uses a legitimate digital signature so it will blow past antiviruses and operating system protections
Correctly digitally signed files are treated as good
anyone know who this guy is? Got hacked by him a while ago. Anyone else a victim?
Post a Comment