Sponsored by..

Monday 11 January 2016

Malware spam: "E-Service (Europe) Ltd Invoice No: 10013405" / "Andrew Williams [andrew.williams@eurocoin.co.uk]"

This fake financial spam does not come from E-Service (Europe) Ltd but is instead a simple forgery with a malicious attachment:

From     Andrew Williams [andrew.williams@eurocoin.co.uk]
Date     Mon, 11 Jan 2016 17:07:38 +0700
Subject     E-Service (Europe) Ltd Invoice No: 10013405

Dear Customer,

Please find your invoice attached from E-Service (Europe) Ltd. We kindly ask you
to make payment for all transactions on or before their due date.

Please contact E-Service (Europe) if you have any issues or queries preventing your
prompt payment on:

Tel (44) 01707 280000
Email: accounts@e-service.co.uk
Or logon and register to access your  customer portal where you can view all historic
orders & transactions on www.e-service.co.uk

PLEASE NOTE NEW E-SERVICE (EUROPE)  BANK DETAILS:

Currency        A/C No.         Sort Code         Swift Code      IBAN No.

GBP               21698613         40-04-37         MIDLGB22            GB48MIDL40043721698613
EUR               71685997         40-05-15         MIDLGB22           GB75MIDL40051571685997

Kind regards

E-Service (Europe) Accounts Team
E-Service have been exceptionally quick about posting an update on their Twitter page. However, they have not been hacked at all as it is trivially easy to forge an email message. The attachment is a malicious Excel spreadsheet which leads to the Dridex banking trojan.

So far, I have seen five different versions of the attachment, all named Invoice 10013405.XLS and with detection rates of about 8/55 [1] [2] [3] [4] [5]. Analysis of the attachments is pending, please check back later.

UPDATE

The Malwr reports for the attachment [1] [2] [3] [4] [5] show that the macro in the spreadsheet downloads a file from the following locations:

arellano.biz/5fgbn/7tfr6kj.exe
pastorsschoolinternational.org/5fgbn/7tfr6kj.exe
www.c0-qadevtest.net/5fgbn/7tfr6kj.exe


This dropped file has a detection rate of 1/55. It is the same binary as found in this earlier spam run which phones home to:

114.215.108.157 (Aliyun Computing Co, China)

This is an IP that I strongly recommend blocking.

Dropped file MD5:
3d59b913f823314ca85839b60a9d563a

Attachment MD5s:
0a4cf4956f7725cc48809bf19759371c
b1bbced1425bcba77735017f6da21659
8f2803bb7564e85e4a5db6c877067a9f
295fe8083a872b9c3edf4439f3a00c67
9440167e49553f2a1d8aa1e38752e497


No comments: