Sponsored by..

Monday 30 November 2015

Malware spam: "Sales Invoice OP/I599241 For ANDSTRAT (NO.355) LTD" / "orders@kidd-uk.com"

This fake financial spam is not from James F Kidd, but is instead a simple forgery with a malicious attachment:
From:    orders@kidd-uk.com
Date:    30 November 2015 at 13:42
Subject:    Sales Invoice OP/I599241 For ANDSTRAT (NO.355) LTD

 Please see enclosed Sales Invoice for your attention.

 Regards from Accounts at James F Kidd
 ( email: accounts@kidd-uk.com )
I have seen a single copy of this spam with an attachment invoice574206_1.doc which has a VirusTotal detection rate of 3/55.

This Malwr report indicates that in this case there may be an error in the malicious macro [pastebin]. The Hybrid Analysis report is inconclusive. This document is presumably attempting to drop the Dridex banking trojan.

UPDATE

I have received two more samples, one names invoice574206/1.pdf and the other invoice574206/1.doc. Both are Word documents (so the one with the PDF extension will not open). The VirusTotal detection rates are 7/54 and 4/55. One of these two also produces an error when run.

The working attachment (according to this Malwr report and Hybrid Analysis report) downloads a malicious binary from:

bjdennehy.ie/~upload/89u87/454sd.exe

This has a VirusTotal detection rate of 3/54. Automated analysis tools [1] [2] [3] [4] show malicious traffic to:

 94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
103.252.100.44 (PT. Drupadi Prima, Indonesia)
89.108.71.148 (Agava Ltd, Russia)
91.223.9.70 (Elive Ltd, Ireland)
41.136.36.148 (Mauritius Telecom, Mauritius)
185.92.222.13 (Choopa LLC, Netherlands)
42.117.2.85 (FPT Telecom Company, Vietnam)
195.187.111.11 (Szkola Glowna Gospodarstwa Wiejskiego, Poland)
37.128.132.96 (Memset Ltd, UK)
37.99.146.27 (Etihad Atheeb Telecom Company, Saudi Arabia)
41.38.18.230 (TE Data, Egypt)
89.189.174.19 (Sibirskie Seti Novokuznetsk, Russia)
122.151.73.216 (M2 Telecommunications Group Ltd, Australia)
185.87.51.41 (Marosnet Telecommunication Company LLC, Russia)
217.197.159.37 (NWT a.s., Czech Republic)
41.56.123.235 (Wireless Business Solutions, South Africa)
91.212.89.239 (Uzinfocom, Uzbekistan)

MD5s:
495d47eedde6566a12b74c652857887e
182db9fc18c5db0bfcb7dbe0cf61cae5
177948c68bc2d67218cde032cdaf1239
07c90e44adcf8b181b55d001cd495b7f

Recommended blocklist:
94.73.155.12
103.252.100.44
89.108.71.148
91.223.9.70
41.136.36.148
185.92.222.13
42.117.2.85
195.187.111.11
37.128.132.96
37.99.146.27
41.38.18.230
89.189.174.19
122.151.73.216
185.87.51.41
217.197.159.37
41.56.123.235
91.212.89.239
Posted by at
Labels: , , , , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)