This spam is not from a scanner, but it is instead a simple forgery with a malicious attachment:
From: noreply@victimdomain.comThe email appears to come from the victim's own domain, but it does not. The "From" address on email is extremely easy to forge. So far I have seen three different malicious attachments, each one in the format noreply@victimdomain.com_20150826_181106.doc with detection rates of around 7/56 [1] [2] [3] containing one of three malicious macros [1] [2] [3] which attempt to download a malicious component from one of the following locations:
Reply-To: noreply@victimdomain.com
To: victim@victimdomain.com
Date: 19 May 2014 at 18:11
Subject: Scanned image from MX-2600N
Reply to: noreply@victimdomain.com [noreply@victimdomain.com]
Device Name: Not Set
Device Model: MX-2600N
Location: Not Set
File Format: DOC MMR(G4)
Resolution: 200dpi x 200dpi
Attached file is scanned image in DOC format.
Use Microsoft(R)Word(R) of Microsoft Systems Incorporated
to view the document.
http://fotolagi.com/45ygege/097uj.exe
http://asterixpr.republika.pl/45ygege/097uj.exe
http://detocoffee.ojiji.net/45ygege/097uj.exe
This malicious binary currently has a VirusTotal detection rate of just 2/54. Automated analysis [1] [2] shows network traffic to 91.239.232.9 (Hostpro Ltd, Ukraine) which has been used in serveral attacks recently. The payload is almost definitely the Dridex banking trojan.
1 comment:
Thanks - great information. The latest email I got was very good and sent to an old co-worker email account. Very clever!
Post a Comment