Sponsored by..

Thursday 26 November 2015

Malware spam: "Invoice Document SI528880" / "Lucie Newlove [lucie@hiderfoods.co.uk]"

This fake invoice does not come from Hider Food Imports Ltd but is instead a simple forgery with a malicious attachment.

From     Lucie Newlove [lucie@hiderfoods.co.uk]
Date     Thu, 26 Nov 2015 16:03:04 +0500
Subject     Invoice Document SI528880

Please see attached Invoice Document SI528880 from HIDER FOOD IMPORTS LTD.

ARE YOU AWARE THAT OUR NEW WEBSITE IS NOW AVAILABLE?
Please contact our Sales Department for details.

Hider Food Imports Ltd

REGISTERED HEAD OFFICE
Wiltshire Road,
Hull
East Yorkshire
HU4 6PA

Registered in England  Number : 842813

Main Tel: +44 (0)1482 561137
Sales Tel :+44 (0)1482 504333
Fax: +44 (0)1482 565668

E-Mail: mail@hiderfoods.co.uk
Website: http://www.hiderfoods.co.uk

DISCLAIMER: This e-mail and any attachments are private and confidential and are
intended solely for the use of the intended recipient(s).  If you are not the intended
recipient, you must not use, disclose, distribute, copy, print, or rely on this e-mail.
If you have received this e-mail in error, please advise the sender by return e-mail
immediately and delete all copies of this message and any attachments from your systems.
All prices quoted are subject to final confirmation. This e-mail and any other arrangements
between us will be subject to our terms and conditions of business, a copy of which
can be found at our website or available upon request.

ANTIVIRUS: Hider Food Imports Ltd regularly update and utilise current anti-virus
products.  Hider Food Imports Ltd however accept no liability for any damage which
may be caused by any virus transmitted by this e-mail or any attachments.  Recipients
should check this e-mail is free of Viruses.

The attached file is SI528880.xls of which I have seen just one sample with a VirusTotal detection rate of 2/54, and it contains this malicious macro [pastebin] which according to this Hybrid Analysis report downloads a malicious component from:

naceste2.czechian.net/76t89/32898u.exe

This executable has a detection rate of just 1/54 and automated analysis [1] [2] [3] [4] [5] shows network traffic to the following IPs:

94.73.155.12 (Telekomunikasyon Anonim Sirketi, Turkey)
8.253.44.158 (Level 3, US)
37.128.132.96 (Memset, UK)
91.212.89.239 (Uzinfocom, Uzbekistan)
185.87.51.41 (Marosnet, Russia)
42.117.2.85 (FPT Telecom Company, Vietnam)
192.130.75.146 (Jyvaskylan Yliopisto, Finland)
195.187.111.11 (Szkola Glowna Gospodarstwa Wiejskiego, Poland)
5.63.88.100 (Centr, Kazahkstan)


The payload is probably the Dridex banking trojan.

MD5s:
b8d83b04a06b6853ad3e79a977dd17af
43a1211146a1938cd4de5d46c68124eb

Recommended blocklist:
94.73.155.12
8.253.44.158
37.128.132.96
91.212.89.239
185.87.51.41
42.117.2.85
192.130.75.146
195.187.111.11
5.63.88.100


NOTE
I accidentally included 191.234.4.50 in a previous version of the blocklist. This IP is for Windows Update (I deleted it from the first list, not the second one!). If you have blocked this IP then I recommend that you unblock it.

No comments: