From "deborah Sherer" [thesherers@westnet.co.uk]Attached is a file Cleaning022958.doc which comes in three different versions (VirusTotal results [1] [2] [3]) containing a macro that looks like this [pastebin] and downloads a malicious binary from one of the following locations:
Date Fri, 23 Oct 2015 17:03:19 +0700
Subject cleaning invoice
Hello
attached is invoice for payment
thanks
Deborah Sherer
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
www.bhtfriends.org/tydfyyur54/43e67tko.exe
zomb.webzdarma.cz/tydfyyur54/43e67tko.exe
nisanyapi.com/tydfyyur54/43e67tko.exe
This is saved as %TEMP%\lenderb2.exe and has a VirusTotal detection rate of just 1/55 (that's just a generic detection by Kaspersky).
That VirusTotal report plus this Hybrid Analysis report show network traffic to:
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
Private sources also identify these following IPs as part of the C2 infrastructure:
157.252.245.49 (Trinity College Hartford, US)
198.74.58.153 (Linode, US)
68.168.100.232 (Codero, US)
The payload appears to be the Dridex banking trojan.
Recommended blocklist:
195.154.251.123
157.252.245.49
198.74.58.153
68.168.100.232
MD5s:
d897c1cdab10a2c8cb5ce95bff03411f
a4bdc332d9cecafcc8381cd6e5ff4667
16fabe48278f84f8ae1bc682a3bd71d7
c08519230b49ad87bc6aa12933aa0cec
5 comments:
Just had one myself and put the email address into Google. Pity we can't saturate the email address with spam.
I started getting these emails soon after I changed my mind on buying something from TeenScrapbookinc on i offer.com. Didn't trust the seller who had me commit to buying before he (or she) would send methods of payment to my email address.Certainly didn't want to send them my credit card details. Coincidentally, the 'seller' sent me a link to an invoice but though it had an https url, there was no verisign on the page.
Paypal might be a bind but it's safer.
I've just had one of these invoices, and strangely enough I have just ordered craft materials from a couple of crafting websites too.I'm not going to open it, just delete it.
Got this email also, googled it, thank goodness - deleted. Also posted the warning on FB
We also had one today and clicked on invoice but nothing showed using mobile and replied as we didn't know who it was and just had mail non delivery notice - will it have caused problems replying and clicking on invoice? I'm not sure if it is?
Hi there, I also just got that email sent to myself from postmaster. I will search the web for any type of link to these fuckers and let you know if I find them, so what we spam them or send some scareware back to them as revenge. These people need to be stopped by us.
Post a Comment