From: THUNDERBOLTS LIMITED [enquiries@thunderbolts.co.uk]Curiously, the bad guys have gone as far as to include a fake header to make it look like a fax:
Date: 14 December 2015 at 11:15
Subject: Invoice 14 12 15
This message contains 2 pages in PDF format.
X-Mailer: ActiveFax 3.92
Attached is a file fax00163721.xls which is fairly obviously not a PDF document. So far I have seen two versions of this with a detection rate of 6/55 [1] [2] and which these Malwr reports [3] [4] indicate download a malicious binary from:
exfabrica.org/437g8/43s5d6f7g.exe
test-cms.reactive.by/437g8/43s5d6f7g.exe
This binary has a detection rate of 0/54. That VirusTotal report and this Hybrid Analysis both show traffic to:
199.7.136.84 (Megawire, Canada)
This malware is likely to be Dridex. Given that it is similar to the one found here, I would recommend blocking network traffic to:
199.7.136.84
221.132.35.56
202.69.40.173
78.47.66.169
MD5s:
a0de2560362cc6dfc53d1cd5ff50559b
bd22c4b0b6996a8405b2d33696e1e71e
b1fff594a8877042efd0ed4d67f6feb6
No comments:
Post a Comment