From Ray White [rw@raylian.co.uk]
Date Thu, 15 Oct 2015 10:56:35 +0200
Subject [Scan] 2015-10-14 5:29:54 p.m.
Amanda's attached.
In the only sample I saw, the attachment was named 2015-10-14 5-29-54 p.m..doc which has a VirusTotal detection rate of 4/56 and which contains this malicious macro [pastebin] . The Hybrid Analysis report shows this particular version (there will be others) downloading a binary from:
sdhstribrnalhota.xf.cz/86575765/6757645.exe
Despite the apparently random name, this is a real business website (SDH Stříbrná Lhota) that has been compromised. This binary has a detection rate of just 2/56 and is saved as %TEMP%\CrowSoft1.exe. The Hybrid Analysis report for this indicates connections to:
89.32.145.12 (Elvsoft SRL, Romania / Coreix, UK)
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
The payload appears to be the Dridex banking trojan, still going strong despite reports of arrests in the crime gang responsible.
Recommended blocklist:
89.32.145.12
195.154.251.123
MD5s:
30e1ad13b091ec24935724ed0abf62ca
bc571b3cfa8902da248420ba5e765a40
Hi,
ReplyDeleteAttached is receipt of transfer regarding the deposit increase for our new contract to the Cherry Tree Cottage.
Let me know if its all sorted.
Frederico Kessler
Product Owner | Games Platform
gamesysign
4th Floor, 10 Piccadilly
London, W1J 0DD
Email: frederico.kessler@gamesys.co.uk