Sponsored by..

Thursday 17 December 2015

Malware spam: "12/16 A Invoice"

This fake financial spam leads to malware:
From:    Kelley Small
Date:    17 December 2015 at 08:39
Subject:    12/16 A Invoice

Hi,
Please find attached a recharge invoice for your broadband.

Many thanks,
Kelley Small
The sender's name is randomly generated, for example:

Harris Page
Leonel Kramer
Gracie Fuentes
Earlene Aguirre
Jerri Whitfield
Art Keith
Freeman Gregory
Moses Larson
Leanna Fletcher

There is an attachment in the format invoice36649009.doc where the number is randomly generated. This comes in at least six different versions but they do not appear to be uniquely generated (VirusTotal results [1] [2] [3] [4] [5] [6] [7]). Detection rates are close to zero.

The Malwr reports for those documents is a mixed bag [1] [2] [3] [4] [5] [6] [7] is a mixed bag, but overall they spot data being POSTed to:

179.60.144.18/chicken/bacon.php
91.203.5.169/chicken/bacon.php


Sources tell me there is another download location of:

195.191.25.145/chicken/bacon.php

Those IPs are likely to be malicious and belong to:

179.60.144.18 (Veraton Projects Ltd, Netherlands)
91.203.5.169 (Denis Pavlovich Semenyuk / TutHost, Ukraine)
195.191.25.145 (Hostpro Ltd, Ukraine)



They also GET from:

savepic.su/6786586.png

A file karp.exe  is dropped with an MD5 of 1fbf5be463ce094a6f7ad345612ec1e7 and a detection rate of 3/54. According to this Malwr report this communicates with:

80.96.150.201 (SC-Nextra Telecom SRL, Romania)

It's not clear what the payload is, but probably some sort of banking trojan such as Dridex.

MD5s:
1FBF5BE463CE094A6F7AD345612EC1E7
69F7AFB14E0E6450C4D122C53365A048
1A4048FA8B910CE6620A91A630B32CF6
7034285D8AA1EC84CFDFF530069ECF77
E0019B311E0319AB3C79C5CDAF5A067D
D08BC2E90E6BB63FB4AEBA63C0E298F4
3ED7EDC00C2C62548B83BCDAAA43C47A
B9D135801A8008EA74584C3DEB1BE8D4


Recommended blocklist:
80.96.150.201
179.60.144.18
91.203.5.169
195.191.25.145

savepic.su

UPDATE 12/1/16 

The same message format is being used for another attack with a slightly different payload, which is the same as used in this spam run.

No comments: