From repairs@isgfleet.co.ukIn the sample I saw, the attached file was 216116.xls which has a VirusTotal detection rate of 6/56 and contains this malicious macro [pastebin] which then downloads a compenent from the following location:
Date Mon, 05 Oct 2015 15:47:11 +0700
Subject Your Invoices - Incident Support Group Ltd
Please find attached your invoices from Incident Support Group Ltd. If you wish to
change the email address we have used please email repairs@isgfleet.co.uk with the
correct details.
agridiotiko.com/432/4535.exe
Note that at the time of writing, I only have one sample of this. There are usually several versions of the attachment in these spam runs, with different download locations. The malicious binary has a detection rate of 4/56.
The VirusTotal report and this Hybrid Analysis report indicate traffic to:
84.246.226.211 (ELB Multimedia, France)
Blocking or monitoring traffic to and from the port would probably be prudent. The payload is most likely the Dridex banking trojan.
UPDATES:
Other download locations spotted so far:
www.poncho-zwerfkatten.be/432/4535.exe
conserpa.vtrbandaanchanet/432/4535.exe
www3.telusnet/~a7a78529/432/4535.exe
216.119.122167/432/4535.exe
MD5s:
87b01608b8170029816df5eed11cd9c5
2c78ee663f0e0f6a4f651e92afaf243e
75d87be2b43a61d35e938393be0633d5
ce94c036dac774b3cb8c7a07ff333c7f
29b56ddfab41f92b0447783e1ef6ccd8
896b4edc333dba1bb533b9ca18549fe7
10 comments:
Hello...
Thanks for the article.
Got one too. Exactly the same content and xls.
Just got this one, Windows Defender didn't see anything bad in it but I'm naturally suspicious so Googled it
Just got this same email in my inbox as well. I never open attachments from emails I'm unsure about but Googled it just to be on the safe side.
Yes got one too, along with the usual cluttering of paypal scams (do these work on anybody anymore!?) obviously fake as hell. Obviously if you don't know them, haven't paid for services or applied for anything- at the very least you should recognise the name- then safely ignore, if it's important they can call or write.
Block:
hxxp://216[.]119[.]122[.]167/432/4535[.]exe
hxxp://www3[.]telus[.]net/~a7a78529/432/4535[.]exe
hxxp://www[.]poncho-zwerfkatten[.]be/432/4535[.]exe
hxxp://conserpa[.]vtrbandaancha[.]net/432/4535[.]exe
Cheers,
Dado
Thanks just received one one of these. Will delete.
I just accidentally opened the same email and viewed the attachment in edit mode, so I'm assuming the macro ran. How would I go about removing this virus, I've already ran windows defender and scanned my computer but it didn't find anything?
@Ross - it might have downloaded all sorts of things. I would recommend shutting it down first of all, then resetting your banking passwords if you have them saved on the computer. In a few days time the AV vendors should be up-to-date with their signatures, but you need something better than Windows Defender. The F-Secure Online Scanner and Trend Micro Housecall are two good online scanners.
One sign of infection is a file C:\Users\[username]\AppData\Local\Temp\zzA.exe which will (if present) show that the machine is infected, but other components may have been downloaded and just removing it may not clean up the machine.
@Conrad Longmore
I've checked my temp folder like you suggested, the .exe file wasn't there and nothing has been created or changed in my temp folder for the last 5 days so does that mean I'm okay?
Luckily I don't use this computer whatsoever for any banking or anything using passwords.
@Ross, looks promising but I would still give it a scan in a few days. Maybe invest in some better anti-virus software too, Kaspersky seems good at detecting this. :)
Post a Comment