From: Accounts [message-service@post.xero.com]The message is neither from Avnet, Xero or Trump Hotels, but is a simple forgery. Attached is a file Credit Note CN-06536.doc .. but it's actually a ZIP file rather than a DOC file. Whoops. Renaming the .DOC to .ZIP creates a valid archive, and the executable inside is named Credit Note CN-83607.exe and has a VirusTotal detection rate of 4/55. VT identifies this as Upatre which implies that the payload is the Dyre banking trojan.
Date: 23 October 2015 at 15:08
Subject: Credit Note CN-06536 from Trump Hotels & Casino Resorts Inc. for [redacted] (2752)
Hi Mattie,
Attached is your credit note CN-06536 for 8954.41 GBP.
This has been allocated against invoice number
If you have any questions, please let us know.
Thanks,
Avnet, Inc.
Analysis is still pending for this malware (please check back later) but the current version of Update/Dyre phones home to 197.149.90.166 (Cobranet, Nigeria) which I strongly recommend you block.
UPDATE:
The Hybrid Analysis report is here, reporting the Nigerian IP and also showing that the malware saves itself as:
%TEMP%\homebast.exe
C:\Windows\mLunoMqU.exe
No comments:
Post a Comment