Sponsored by..

Thursday, 19 November 2015

Malware spam: "Your Google invoice is ready" / "billing-noreply@google.com"

This fake invoice does not come from Google, but is instead a simple forgery with a malicious attachment:

From:    billing-noreply@google.com
Date:    19 November 2015 at 12:40
Subject:    Your Google invoice is ready

Attached to this email, please find the following invoice:

Invoice number: 1630884720
Due date: 19-Nov-2015
Billing ID: 34979743806


Please follow instructions on the invoice for remitting payment. If you have questions, please contact collections-uk@google.com.

Yours Sincerely,
The Google Billing Team


--------------------------
Billing ID: 0349-7974-3806
The attachment is named 1630884720.doc which comes in at least two versions (VirusTotal analysis [1] [2]) and which contains a malicious macro like this [pastebin]).

Analysis of the documents is still pending (please check back), although the payload is almost definitely the Dridex banking trojan.

UPDATE

The Hybrid Analysis of the two documents [1] [2] shows attempted downloads from the following locations:

bhoomiconsultants.com/8i65h4g53/o97i76u54.exe [active]
bhairavraffia.com/8i65h4g53/o97i76u54.exe [file not found]


This binary has a detection rate of 1/54 and those reports indicate malicious network traffic to the familiar IP address of:


182.93.220.146 (Ministry of Education, Thailand)

I strongly recommend that you block traffic to that IP.

1 comment:

Unknown said...

C2 channels:
182.93.220.146:4438
78.47.66.169:7447
89.108.71.148:8843
221.132.35.56:8843