Sponsored by..

Thursday, 26 November 2015

Random "Payment" spam leads to Dridex

I have only seen one version of this spam message so far:

From:    Basia Slater [provequipmex@provequip.com.mx]
Date:    26 November 2015 at 12:00
Subject:    GVH Payment

I hope you had a good weekend.
Please check the payment confirmation attached to this email. The Transaction should appear on your bank in 2 days.


Basia Slater
Accountant
Comerica Incorporated
This sample had a document name of I654WWFR3C6.doc which has a VirusTotal detection rate of 6/55, containing this malicious macro [pastebin]. The Malwr report for this version indicates a download from:

harbourviewnl.ca/jo.jpg?6625

According to that Malwr report, it drops a file YSpq2bkGVIi5yaPcv6667.exe (MD5 6c14578c2b77b1917b3dee9da6efcd56) which has a detection rate of 1/53. The Hybrid Analysis report and Malwr report for that indicates malicious traffic to:

94.73.155.10 (Telekomunikasyon Anonim Sirketi, Turkey)
199.175.55.116 (VPS Cheap INC, US)


Note that 94.73.155.12 is mentioned in this other Dridex report today, both IPs form part of a small subnet of  94.73.155.8/29 suballocated to one "Geray Timur Akkurt".

My contacts (you know who you are, thank you) indicate that the emails are generated according to the following pattern:

> From: (random)
> Subject: ABC Transaction
- raw Subject: =?UTF-8?Q?ABC__Transaction?=
- matching /[A-Z]{1,3} (Invoice|Payment|Transaction|Transfer)/
> X-mailer: Thunderbird 9.23
- matching /[1-9]\.[1-9]{2}/
Attachment: "Z98Y76.doc"
- matching /[A-Z0-9]{4,14}\.doc/
They indicate an additional download location of:

gofishretail.com/jo.jpg?[4-digit-random-number]

with an additional C2 location of:

113.30.152.170 (Net4india , India)

Recommended blocklist:
94.73.155.8/29
199.175.55.116
113.30.152.170



No comments: