Sponsored by..

Tuesday 20 October 2015

Malware spam: "Purchase Order No: 48847" / "Harminder Saund"

This fake financial spam comes with a malicious payload:

From     Harminder Saund [MinSaund77@secureone.co.uk]
Date     Tue, 20 Oct 2015 16:08:53 +0700
Subject     Purchase Order No: 48847

Attached is a copy of our Purchase Order number 48847

==============
Harminder Saund

Secure One
==============

The sender's email address varies slightly, for example:

MinSaund77@secureone.co.uk
MinSaund92@secureone.co.uk
MinSaund94@secureone.co.uk
MinSaund013@secureone.co.uk

Attached is a file PO_48847.DOC which I have seen two different versions of so far (VirusTotal [1] [2]) each containing a slightly different malicious macro [1] [2]. There are probably different versions of the document with different macros.

Automated analysis is pending, however the payload is most likely the Dridex banking trojan. Please check back for updates.

MD5s:
c6cd52b59fc772edde4df5d4058524fe
001415839b511361bc429c379892065d

UPDATE:
So far, three download location have been identified..

ladiesfirst-privileges.com/656465/d5678h9.exe
papousek.kvalitne.cz/656465/d5678h9.exe
pmspotter.wz.cz/656465/d5678h9.exe

This file is downloaded as %TEMP%\shhg32c.exe and it has a VirusTotal detection rate of 4/56 (MD5 e4bb8a66855f6987822f5aca86060f2c). The Hybrid Analysis reports [1] [2] indicate that it calls home to:

fat.uk-fags.top / 188.166.250.20 (Digital Ocean, Singapore)

I recommend that you block traffic to that IP.

The payload has been reported to be Shifu, not Dridex.

No comments: