Sponsored by..

Thursday 26 November 2015

Random "Payment" spam leads to Dridex

I have only seen one version of this spam message so far:

From:    Basia Slater [provequipmex@provequip.com.mx]
Date:    26 November 2015 at 12:00
Subject:    GVH Payment

I hope you had a good weekend.
Please check the payment confirmation attached to this email. The Transaction should appear on your bank in 2 days.

Basia Slater
Comerica Incorporated
This sample had a document name of I654WWFR3C6.doc which has a VirusTotal detection rate of 6/55, containing this malicious macro [pastebin]. The Malwr report for this version indicates a download from:


According to that Malwr report, it drops a file YSpq2bkGVIi5yaPcv6667.exe (MD5 6c14578c2b77b1917b3dee9da6efcd56) which has a detection rate of 1/53. The Hybrid Analysis report and Malwr report for that indicates malicious traffic to: (Telekomunikasyon Anonim Sirketi, Turkey) (VPS Cheap INC, US)

Note that is mentioned in this other Dridex report today, both IPs form part of a small subnet of suballocated to one "Geray Timur Akkurt".

My contacts (you know who you are, thank you) indicate that the emails are generated according to the following pattern:

> From: (random)
> Subject: ABC Transaction
- raw Subject: =?UTF-8?Q?ABC__Transaction?=
- matching /[A-Z]{1,3} (Invoice|Payment|Transaction|Transfer)/
> X-mailer: Thunderbird 9.23
- matching /[1-9]\.[1-9]{2}/
Attachment: "Z98Y76.doc"
- matching /[A-Z0-9]{4,14}\.doc/
They indicate an additional download location of:


with an additional C2 location of: (Net4india , India)

Recommended blocklist:

No comments: