From "Stephanie Greaves" [sgreaves@btros.co.uk]Attached is a file COS007202.doc which comes in at least three different versions (VT results [1] [2] [3]) each containing a slightly different malicious macro [1] [2] [3] [pastebin].
Date Mon, 19 Oct 2015 12:06:42 +0430
Subject COS007202
Good morning,
Please see attached purchase order.
Kind regards,
Stephanie Greaves
Administration Apprentice
Bombardier Transportation (Rolling Stock) UK Ltd
Electronics, Cabling, & Interior Division
Litchurch Lane, Derby, DE24 8AD
Analysis of the documents is pending, but they will almost definitely drop the Dridex banking trojan. Please check back later.
UPDATE:
According to these Hybrid Analysis reports [1] [2] [3] , those macros download from the following locations:
euroagroec.com/35436/5324676645.exe
demo9.iphonebackstage.com/35436/5324676645.exe
webmatique.info/35436/5324676645.exe
The binary they download has a VirusTotal detection rate of 3/56 and is saved as %TEMP%\CrowSoft1.exe. Both the VirusTotal and Hybrid Analysis reports show what looks like malicious traffic going to:
157.252.245.49 (Trinity College Hartford, US)
I recommend that you block traffic to that IP.
MD5s:
1de3889fde95e695adf6eadcb4829c6d
7ae379d02b72d5768cc07f4241def163
d9cd6d350cde885bd9c0171b6a56ee52
aea40296ee7eb0c73ae488b918572481
2 comments:
Saw this same campaign come in as a phish with the following attributes:
Sender: customerservices@ocado.com
Subject: Your receipt for today's Ocado delivery
Attach: receipt.doc
Body:
Hello
Your receipt for today's delivery is attached to this email. I'll be delivering your 12:00-14:00 order and, so you'll know it's me, I'll be driving the Lemon van.
Your order doesn't have any substitutions, everything's there.
See you later,
Paul
That's how I got it too
Post a Comment