Sponsored by..

Monday, 30 November 2015

Malware spam: "Message from mibser_00919013013"

I have only one sample of this rather terse email with no body text:
From:    scan@victimdomain
Reply-To:    scan@victimdomain
To:    hiett@victimdomain
Date:    30 November 2015 at 09:22
Subject:    Message from mibser_00919013013
The spam appears to originate from within the victim's own domain, but it does not. In the sample I saw, the attachment was named Smibser_00915110211090.xls, had a VirusTotal detection rate of 3/54 and contained this malicious macro [pastebin]. .

According to this Hybrid Analysis report and this Malwr report the macro downloads a malicious executable from:

velitolu.com/89u87/454sd.exe

This binary has a detection rate of 3/55. Automated report tools [1] [2] show network traffic to:

94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
42.117.2.85 (FPT Telecom Company, Russia)
89.189.174.19 (Sibirskie Seti Novokuznetsk, Russia)
5.63.88.100 (Centr, Kazakhstan)


The payload is likely to be the Dridex banking trojan:

MD5s:
1fac282d89e9af6fd548db2c71124c38
b77b2b6b80968b458e838d3a40e10551


Recommended blocklist:
94.73.155.12
42.117.2.85
89.189.174.19
5.63.88.100



No comments: