Sponsored by..

Thursday, 17 September 2015

Malware spam: "Shell E-Bill for Week 38 2015"

This fake financial spam comes with a malicious attachment:

From     [invoices@ebillinvoice.com]
To     administrator@victimdomain.com
Date     Thu, 17 Sep 2015 11:10:15 GMT
Subject     Shell E-Bill for Week 38 2015

Customer No         : 28834
Email address       : administrator@victimdomain.com
Attached file name  : 28834_wk38_2015.PDF

Dear Customer,

Please find attached your invoice for Week 38 2015.

In order to open the attached PDF file you will need
the software Adobe Acrobat Reader.

For instructions of how to download and install this
software onto your computer please visit
http://www.adobe.com/products/acrobat/readstep2.html

If you have any queries regarding your e-bill you can contact us at invoices@ebillinvoice.com.

Yours sincerely

Customer Services

======================================================
This email, its content and any files transmitted with
it are confidential and intended solely for the use of
the individual(s) to whom it is addressed.
If you are not the intended recipient, be advised that
you have received this email in error and that any use,
dissemination, forwarding, printing or copying of
this email is strictly prohibited.
======================================================

Attached is a file 28834_wk38_2015.zip containing a malicious executable 67482_wk38_2015.scr which has a detection rate of 2/56. Automated analysis is pending, but the payload is almost definitely Upatre/Dyre which has been consistently sending traffic to 197.149.90.166 (Cobranet, Nigeria) for some time now, so I suggest that you block or monitor that IP.

MD5:
0d9c66ffedce257ea346d2c7567310ac

No comments: