From: Gompels Healthcare ltd [salesledger@gompels.co.uk]The attachment is named fax00375039.doc and it comes in at least two different versions (VirusTotal [1] [2]) and the Malwr reports [3] [4] show download locations from:
Date: 21 January 2016 at 12:57
Subject: Gompels Healthcare Ltd Invoice
Hello
Please see attached pdf file for your invoice
Thank you for your business
return-gaming.de/8h75f56f/34qwj9kk.exe
phaleshop.com/8h75f56f/34qwj9kk.exe
That marks it out as Dridex 220, similar to this spam run. However, the executable has change from earlier and now has an MD5 of 95a1e02587182abfa66fdcf921ee476e and a zero detection rate at VirusTotal. However, the malware still phones home to the same IP of 216.224.175.92 as before.


 
 
5 comments:
What happens if I opened document? Which I have. Realised my mistake and pulled out router after 30 seconds
@David - the malware will attempt to infect Windows PCs running Microsoft Word. This version seems to use a macro. To check if you are vulnerable to running macros, go into File.. Options.. Trust Center.. click the Trust Center Settings and check the "Macro settings". If you have any one of the three "disabled" settings, you should be OK.
If the macros are set to "enabled" then you have a problem and should assume you are infected. Unless you are monitoring network traffic then it can be very hard to detect if the machine is infected. In our organisation we tend to rebuild Dridex-infected machines from scratch. Alternatively, you can try a really good anti-malware product such as Malwarebytes - https://www.malwarebytes.org/mwb-download/ - which has a good chance of disinfecting it. I would leave the machine switched off for a couple of days, this will enable anti-virus vendors to get updated signatures out.
Good luck..
Just checked and disable all macros with notification clicked.
So here's hoping.
Thanks for your help Conrad.
I cannot believe how stupid I was.
We found out that somebody was spoofing us yesterday and even though it's not come from us we've put in place some extra security and all our e-mails are now DKIM signed.
Has anyone logged behavior in Windows 10 yet or with Office 15 and above?
Post a Comment