Sponsored by..

Monday, 12 October 2015

Malware spam: "Insurance" / "accounts@nolettinggo.co.uk"

This spam does not come from No Letting Go but is instead a simple forgery with a malicious attachment.

From     [accounts@nolettinggo.co.uk]
Date     Mon, 12 Oct 2015 11:43:16 +0330
Subject     Insurance

Dear all

Please find attached insurance paperwork including EL certificate.  Invoices
will follow at the beginning of November.

Regards

Karen
In the only sample I have seen so far, the attachment name is SKMBT_C36014102815580.doc which has a VirusTotal detection rate of 8/56. This particular document contains this malicious macro [pastebin] which downloads a malware component from the following location:

ukenterprisetours.com/877453tr/rebrb45t.exe 

The usual pattern is that there are several different versions of the document downloading from different locations, but the payload is the same in all cases. This binary is saved as %TEMP%\gicage.exe and has a detection rate of 2/56.

That VirusTotal report and this Hybrid Analysis report show network traffic to:

149.210.180.13 (TransIP BV, Netherlands)

I strongly recommend that you block or monitor traffic to this IP. The payload is the Dridex banking trojan.

MD5s:
6b0c1290d653a4f92a6214a9c91bd23b
04e1476d464fafa559bd1bd8ea38749c
  

2 comments:

LindaD said...

Many thanks, have that email in my inbox but knew it was not legit. Many thanks for confirmation.

Unknown said...

I wonder what they get out of spam mail like this. It doesn't seem as though they can get money or finance information out of it with replies. It's probably a virus of sorts.