Sponsored by..

Tuesday 24 November 2015

Malware spam: "Scan as requested" / "Melissa O'Neill" [adminoldbury@newhopecare.co.uk]

This fake document scan does not come from New Hope Specialist Care but is instead a simple forgery with a malicious attachment:

From     "Melissa O'Neill" [adminoldbury@newhopecare.co.uk]
Date     Tue, 24 Nov 2015 07:11:00 -0300
Subject     Scan as requested

Regards


Paulette Riley

Administrator

New Hope Specialist Care Ltd
126 Brook Road
Oldbury
West Midlands
B68 8AE

tel: 0121 552 1055
mobile: 07811 486 270
fax: 0121 544 7104


* PLEASE CONSIDER THE ENVIRONMENT BEFORE PRINTING THIS EMAIL *


This is an email from New Hope Specialst Care Ltd. The information contained
within this message is intended for the addressee only and may contain
confidential and/or privilege information. If you are not the intended
recipient you may not peruse, use, disseminate, distribute or copy this
message. If you have received this message in error please notify the sender
immediately by email or telephone and either return or destroy the original
message. New Hope Specialsit Care Ltd accept no responsibility for any
changes made to this message after it has been sent by the original author.
The views contained herein do not necessarily represent the views of New
Hope Specialist Care Ltd This email or any of its attachments may contain
data that falls within the scope of the Data Protection Acts. You must
ensure that handling or processing of such data by you is fully compliant
with the terms and provisions of the Data Protection Act 1984 and 1988

---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com

Attached is a file 20151009144829748.doc of which I have seen two versions (VirusTotal results [1] [2]) and which contain a macro like this [pastebin].

Analysis of these documents is pending, but the payload is likely to be the Dridex banking trojan.

Frustratingly, it looks like the web host has suspended newhopecare.co.uk which is not helpful in these circustances, as it stops the victim company from posting a warning.


UPDATE

These two Hybrid Analysis reports [1] [2] show a download from the following locations:

www.costa-rica-hoteles-viajes.com/~web/7745gd/4dgrgdg.exe
janaduchanova.wz.cz/7745gd/4dgrgdg.exe


This has a VirusTotal detection rate of 4/55. That VT analysis and this Malwr analysis and these two Hybrid Analysis reports [1] [2] show network traffic to:

157.252.245.32 (Trinity College Hartford, US)
89.108.71.148 (Agava Ltd, Russia)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)
88.86.117.153 (SuperNetwork, Czech Republic)


MD5s:
06c1c0a6d5482b93737f9ce250161b82
3368d7d4f48d291ee0f4ae7c81dd73a6
15fcf405b726379c6efabc89d6e0ceac


Recommended blocklist:
157.252.245.32
89.108.71.148
89.32.145.12
88.86.117.153



2 comments:

Unknown said...

Just received one of these this morning. We appear to be getting several emails a week from various addresses that are trying to access the software. It is very frustrating.

Unknown said...
This comment has been removed by the author.