Sponsored by..

Thursday, 21 January 2016

Malware spam: "Gompels Healthcare Ltd Invoice" / Gompels Healthcare ltd [salesledger@gompels.co.uk]

This fake financial spam does not come from Gompels Healthcare Ltd but is instead a simple forgery with a malicious attachment.

From:    Gompels Healthcare ltd [salesledger@gompels.co.uk]
Date:    21 January 2016 at 12:57
Subject:    Gompels Healthcare Ltd Invoice

Hello
Please see attached pdf file for your invoice
Thank you for your business
The attachment is named fax00375039.doc and it comes in at least two different versions (VirusTotal [1] [2]) and the Malwr reports [3] [4] show download locations from:

return-gaming.de/8h75f56f/34qwj9kk.exe
phaleshop.com/8h75f56f/34qwj9kk.exe

That marks it out as Dridex 220, similar to this spam run. However, the executable has change from earlier and now has an MD5 of 95a1e02587182abfa66fdcf921ee476e and a zero detection rate at VirusTotal. However, the malware still phones home to the same IP of 216.224.175.92 as  before.

Posted by at
Labels: , , , ,

5 comments:

Unknown said...

What happens if I opened document? Which I have. Realised my mistake and pulled out router after 30 seconds

21 January 2016 at 15:53
Conrad Longmore said...

@David - the malware will attempt to infect Windows PCs running Microsoft Word. This version seems to use a macro. To check if you are vulnerable to running macros, go into File.. Options.. Trust Center.. click the Trust Center Settings and check the "Macro settings". If you have any one of the three "disabled" settings, you should be OK.

If the macros are set to "enabled" then you have a problem and should assume you are infected. Unless you are monitoring network traffic then it can be very hard to detect if the machine is infected. In our organisation we tend to rebuild Dridex-infected machines from scratch. Alternatively, you can try a really good anti-malware product such as Malwarebytes - https://www.malwarebytes.org/mwb-download/ - which has a good chance of disinfecting it. I would leave the machine switched off for a couple of days, this will enable anti-virus vendors to get updated signatures out.

Good luck..

21 January 2016 at 16:54
Unknown said...

Just checked and disable all macros with notification clicked.

So here's hoping.

Thanks for your help Conrad.

I cannot believe how stupid I was.

21 January 2016 at 17:32
Anonymous said...

We found out that somebody was spoofing us yesterday and even though it's not come from us we've put in place some extra security and all our e-mails are now DKIM signed.

22 January 2016 at 11:43
GGarrenton said...

Has anyone logged behavior in Windows 10 yet or with Office 15 and above?

22 January 2016 at 13:34

Post a Comment

Subscribe to: Post Comments (Atom)