Sponsored by..

Tuesday, 25 August 2015

Malware spam: "UPDATE_VACATIONS_SCHEDULE_09_2015.pdf" via sugarsync.com

 This fake Dropbox email leads to malware, hosted on the sharing service sugarsync.com.

From:    June Abel via Dropbox [no-reply@dropbox.com]
Date:    25 August 2015 at 12:59
Subject:    June Abel shared "UPDATE_VACATIONS_SCHEDULE_09_2015.pdf" with you


June used Dropbox to share a file with you!

Click here to download.



© 2015 Dropbox
I have seen three different samples with different download location:

https://www.sugarsync.com/pf/D3941255_827_052066225?directDownload=true
https://www.sugarsync.com/pf/D160756_82_6104120627?directDownload=true
https://www.sugarsync.com/pf/D2694666_265_638165437?directDownload=true

In each case, the binary downloaded is identical and has a VirusTotal detection rate of 3/55. Analysis is pending, but the payload appears to be the Dyre banking trojan.

UPDATE: 
The Hybrid Analysis report shows traffic to 197.149.90.166 (Cobranet, Nigeria) which I recommend you block.

Posted by at
Labels: , , , ,

1 comment:

Eduardo Bruno da Costa Krukoski said...

https://www.sugarsync.com/pf/D3157977_837_126425935 point to file: Orçamento-0388.zip
with Planilha-0029304.exe inside.
http://virustotal.com analise as a Win-Trojan/MDA.630F094C or Trojan.MSIL.Injector.BBT


They don't have email to abuse report!

16 November 2015 at 16:47

Post a Comment

Subscribe to: Post Comments (Atom)