Sponsored by..

Thursday 27 August 2015

Malware spam: "Payslip for period end date 27/08/2015" / "noreply@fermanagh.gov.uk"

This spam does not come from Fermanagh District Council. Of course it doesn't. It is instead a simple forgery with a malicious attachment:

From:    noreply@fermanagh.gov.uk [noreply@fermanagh.gov.uk]
Date:    27 August 2015 at 12:28
Subject:    Payslip for period end date 27/08/2015

Dear administrator

Please find attached your payslip for period end 27/08/2015

Payroll Section

Attached is a file payroll.zip which contains a malicious executable payroll.scr - or it would have done, but in my case the email was malformed and the archive was not attached properly.

This executable has a detection rate of 3/56 and the Hybrid Analysis report indicates that it sends traffic to a server at 197.149.90.166 (Cobranet, Nigeria) which has been used in a few recent attacks and is definitely worth blocking.

MD5:
fdea30868df48bff9e7c2b2605431d23

No comments: