Sponsored by..

Tuesday 27 October 2015

Malware spam: "id:9828_My_Resume"

This fake résumé spam comes with a malicious attachment. It seems that the names are randomly-generated from a list.

From:    Trinh [zhanxing1497kcuo@163.com]
Date:    27 October 2015 at 18:30
Subject:    id:9828_My_Resume
Signed by:    163.com

Good afternoon!!! my name is Bobette Gloster. my resume is doc file.
I would appreciate your immediate attention to this matter.
Yours faithfully
Bobette Gloster
In this case the attachment was named Bobette_resume_1817.doc however this will vary. The VirusTotal analysis of the document gives a detection rate of 8/55, mostly detecting a generic macro downloader.

The macro looks like this [pastebin] and the Hybrid Analysis of the document shows traffic coming FROM 46.30.41.150 (EuroByte LLC, Russia) and being POSTED to the following:

all-inclusiveresortstravel.com
designtravelagency.com
bigboattravel.com
cpasolutiononline.com
ciiapparelblog.com

The first three are on 108.167.140.175 and the second two are on 192.185.101.210 which are both allocated to WebSiteWelcome customers. I would assume that those two servers are completely compromised.

The Hybrid Analysis report shows that the malware has some characteristics that make it look like ransomware.

Recommended blocklist:
46.30.41.150
108.167.140.175
192.185.101.210

UPDATE:
This Tweet indicates that the payload is Cryptowall.

No comments: