Sponsored by..

Thursday 12 November 2015

Malware spam: "Remittance Advice" / "AccountsPayable@Norfolk.gov.uk"

This fake financial spam does not come from Norfolk County Council but is instead a simple forgery with a a malicious attachment:

From     AccountsPayable@Norfolk.gov.uk
Date     Thu, 12 Nov 2015 14:09:46 +0430
Subject     Remittance Advice

Dear Sir/Madam,

Please find attached your remittance advice.

Regards,
NCC

--
To see our email disclaimer click here http://www.norfolk.gov.uk/emaildisclaimer
Attached is a file 6134443_101115_141851.xls which apparently comes in two or three versions, although I have only seen one with a VirusTotal detection rate of 3/54 and containing this malicious macro.

These documents then download a malicious binary from:

aniretak.wz.cz/5t546523/lhf3f334f.exe
sanoko.jp/5t546523/lhf3f334f.exe

 www.delianfoods.com/5t546523/lhf3f334f.exe

This binary has a VirusTotal detection rate of 3/54, and that report plus this Hybrid Analysis report show malicious traffic to:

95.154.203.249 (Iomart Hosting / Rapidswitch, UK)
182.93.220.146 (Ministry of Education, Thailand)

The payload is the Dridex banking trojan.

Recommended blocklist:
95.154.203.249
182.93.220.146

MD5s:
289af95f99f58c751a7d1d0a26d7cdb3
becb1cdbd1c1aea53260c2ed96eb6ee2
d020bfed9f93636114b9736100a9b59f
5173aaa2f5aa40df7ffa772eeaa0d1f7




No comments: