Sponsored by..

Thursday 21 January 2016

Malware spam FAIL: "Credit UB 7654321 dated 15.01.15 £12,345.67 - COMPANY NAME"

This fake financial spam is meant to have a malicious attachment. Company names, senders, values and reference numbers  vary, but here are some examples:

From:    Inez Rhodes
Date:    21 January 2016 at 12:33
Subject:    Credit UB 1130909 dated 15.01.15 £26,842.15 - EXOVA GRP PLC

Hi,

Please find attached Debit Note UB11309096 which will offset UB 11309097

Due to a system error UB11309097 was raised with an invoice date being 20/01/15, when it should have been 22/01/16

Regards,

Inez Rhodes
Management Accountant - EXOVA GRP PLC
t. 01523 171 662
f. 0888 650 6709

==========

From:    Cortez Bird
Date:    21 January 2016 at 12:40
Subject:    Credit UB 1793159 dated 15.01.15 £77,538.80 - BARCLAYS PLC


Hi,

Please find attached Debit Note UB17931596 which will offset UB 17931597

Due to a system error UB17931597 was raised with an invoice date being 20/01/15, when it should have been 22/01/16

Regards,

Cortez Bird
Management Accountant - BARCLAYS PLC
t. 01662 855 271
f. 0882 284 7942

==========

From:    Autumn Pierce
Date:    21 January 2016 at 11:39
Subject:    Credit UB 1911242 dated 15.01.15 £73,910.50 - GLOBAL PORTS INVESTMENTS PLC

Hi,

Please find attached Debit Note UB19112426 which will offset UB 19112427

Due to a system error UB19112427 was raised with an invoice date being 20/01/15, when it should have been 22/01/16

Regards,

Autumn Pierce
Management Accountant - GLOBAL PORTS INVESTMENTS PLC
t. 01361 953 147
f. 0883 597 3136
Example attachment names are:
HPscanner3F3AB@ebene-events.net_250371.doc
HPscanner5CF83@hacettepe.edu.tr_8760547.doc
Sharp87143@autoprivoz.ru_3718432.doc
HPscanner7180F@instrument-pily.ru_1587243.doc


In all the samples I have seen, the attachment is not formatted correctly and cannot be downloaded. Typically it will appears to be a 0 byte file with no name, but results might vary depending on the mail client.

After manually decoding the malware from the Base 64 section in the email, I found two distinct versions of the attachment (VirusTotal [1] [2]) and the Malwr reports [3] [4]  show a malicious download from:

5.189.216.101/dropbox/download.php

The payload is the Dridex banking trojan (botnet 120) as described here.

No comments: