From: Inez RhodesExample attachment names are:
Date: 21 January 2016 at 12:33
Subject: Credit UB 1130909 dated 15.01.15 £26,842.15 - EXOVA GRP PLC
Hi,
Please find attached Debit Note UB11309096 which will offset UB 11309097
Due to a system error UB11309097 was raised with an invoice date being 20/01/15, when it should have been 22/01/16
Regards,
Inez Rhodes
Management Accountant - EXOVA GRP PLC
t. 01523 171 662
f. 0888 650 6709
==========
From: Cortez Bird
Date: 21 January 2016 at 12:40
Subject: Credit UB 1793159 dated 15.01.15 £77,538.80 - BARCLAYS PLC
Hi,
Please find attached Debit Note UB17931596 which will offset UB 17931597
Due to a system error UB17931597 was raised with an invoice date being 20/01/15, when it should have been 22/01/16
Regards,
Cortez Bird
Management Accountant - BARCLAYS PLC
t. 01662 855 271
f. 0882 284 7942
==========
From: Autumn Pierce
Date: 21 January 2016 at 11:39
Subject: Credit UB 1911242 dated 15.01.15 £73,910.50 - GLOBAL PORTS INVESTMENTS PLC
Hi,
Please find attached Debit Note UB19112426 which will offset UB 19112427
Due to a system error UB19112427 was raised with an invoice date being 20/01/15, when it should have been 22/01/16
Regards,
Autumn Pierce
Management Accountant - GLOBAL PORTS INVESTMENTS PLC
t. 01361 953 147
f. 0883 597 3136
HPscanner3F3AB@ebene-events.net_250371.doc
HPscanner5CF83@hacettepe.edu.tr_8760547.doc
Sharp87143@autoprivoz.ru_3718432.doc
HPscanner7180F@instrument-pily.ru_1587243.doc
In all the samples I have seen, the attachment is not formatted correctly and cannot be downloaded. Typically it will appears to be a 0 byte file with no name, but results might vary depending on the mail client.
After manually decoding the malware from the Base 64 section in the email, I found two distinct versions of the attachment (VirusTotal [1] [2]) and the Malwr reports [3] [4] show a malicious download from:
5.189.216.101/dropbox/download.php
The payload is the Dridex banking trojan (botnet 120) as described here.
No comments:
Post a Comment