Sponsored by..

Monday 7 September 2015

Malware spam: "Credit Note CN-60938 from Stilwell Financial Inc" / "message-service@post.xero.com"

This fake financial spam comes with a malicious payload.
From:    Accounts [message-service@post.xero.com]
To:    hp_printer@victimdomain.com
Date:    7 September 2015 at 11:55
Subject:    Credit Note CN-60938 from Stilwell Financial Inc for victimdomain.com (0178)

Hi Boris,

To download your credit note CN-60938 for 401.04 GBP please follow the link below : https://get.xerofiles.com/[snip]

This has been allocated against invoice number

If you have any questions, please let us know.

Thanks,
Stilwell Financial Inc

In the only sample I saw, the download location for a file at xerofiles.com which came up with a 403 error. This domain belongs to an accounting service called Xero, it is unclear if they were actually hosting the malware or if there is some error in the spam email itself.

Somewhat interestingly, the bad guys have attempted to forge the mail headers to make it looks like it comes from Xero itself.
Received: from 78.187.120.220.static.ttnet.com.tr (unknown [95.9.34.122])
    by [redacted] (Postfix) with ESMTP id 74F50400BE;
    Mon,  7 Sep 2015 11:59:12 +0100 (BST)
Received: from mail2.go.xero.com (198.61.155.105) by
 GCN5B9ZDBKTFX.mail.protection.outlook.com (10.997.33.92) with Microsoft SMTP

 Server id 05.9.975.7 via Frontend Transport; Mon, 7 Sep 2015 12:55:16 +0200
From: Accounts <message-service@post.xero.com>
To:  hp_printer@[redacted]
Date: Mon, 7 Sep 2015 12:55:16 +0200
Subject: Credit Note CN-60938 from Stilwell Financial Inc for [redacted] (0178)
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailer: aspNetEmail ver 3.5.2.0
Message-ID: <504359-L45H474JYDT96LCSOCCGF9O9R1IXJTQ2949EW0C2@xero.com>
The fake parts of the headers are highlighted. The actual sending IP is 95.9.34.122 in Turkey. I don't know what the payload is in this case as the download location doesn't work, it will most likely be some sort of banking trojan.

No comments: