Sponsored by..

Tuesday, 25 August 2015

Malware spam: "Visa Card Aug 2015" / "david@ellesmere.engineering"

This fake financial spam does not come from Ellesemere Engineering but is in fact a simple forgery with a malicious attachment.

From     [david@ellesmere.engineering]
To     "'Sharon Howarth'" [sharon@ellesmere.engineering]
Date     Tue, 25 Aug 2015 09:52:47 +0200
Subject     Visa Card Aug 2015

Visa Card payments this month

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

Attached is a document Visa Card Aug 2015.docm which I have seen in three different versions, containing one of three malicious macros [1] [2] [3] that then attempt to download a malicious binary from one of the following locations:

http://e-projekt.ns1.internetdsl.pl/45gf3/7uf3ref.exe
http://nathalieetalain.free.fr/45gf3/7uf3ref.exe
http://landrevie.g.free.fr/45gf3/7uf3ref.exe


This executable has a detection rate of just 1/55 and the Malwr report shows network traffic to:

91.239.232.9 (Hostpro Ltd, Ukraine)

I strongly recommend that you block that IP address. The payload to this is almost definitely the Dridex banking trojan.

MD5s:
c1a8edf0ea4e5b35826cdf9afdb35c94
2ef4032a000b8a5da438175302e525a4
9d98b19e6f5ea4dc883df7b3053bbfe2
25578c66ef3da0734fc3f88f89f59773

4 comments:

Alan M said...

Thank you for the explanation. I suddenly started getting scores of these. Fortunately, probably not too much of a threat to Mac users, if the payload is .exe files?

Alan M.

Conrad Longmore said...

@Alan M: yes, the payload is a Windows .exe file, Macs will be safe. I have seen a huge number of these today as well..

Ranjan said...

I have also received one similar to this. Thanks for the malwr analysis report.

Unknown said...

Hi,

Firstly Apologies for and problems caused.

I currently Work for the company in question. We are a HVCA Company based in Manchester and became aware of this problem this morning.

We have been inundated with phone calls warning us about this problem, coming from as far away as France & Sweden.

We are running Kaspersky Small Office across all PC's and Servers and all Machines are reported as clean.

The Email Address david@ellesmere.engineering has been bombarded with "Bounce Backs" to the tune of 20,500, and blocked the Server of our Email Provider.

Any ideas on how to block this would be appreciated and also and ideas how to stop it recurring in the future.

Thanks.