Sponsored by..

Thursday 7 January 2016

Malware spam: "Invoice 01147665 19/12 £4024.80" / "Ibstock Group"

This fake financial spam is not from the Ibstock Group but instead contains a malicious attachment. It is closely related to this spam which was sent out earlier today.
From:    Amber Smith
Date:    7 January 2016 at 10:38
Subject:    Invoice 01147665 19/12 £4024.80


Happy New Year to you !

Hope you had a lovely break.

Many thanks for the payment. There’s just one invoice that hasn’t been paid and doesn’t seem to have a query against it either.

Its invoice  01147665  19/12  £4024.80  P/O ETCPO 35094

Can you have a look at it for me please?

Thank-you !

Kind regards
Amber Smith
Credit Control
Finance Department
Ibstock Group
Supporting Ibstock, Ibstock-Kevington & Forticrete
( +44 (0)1530 257371
( VPN: 700 2371
6  +44 (0)1530 257379
The sender's name varies, as does the reference number which matches the name of the attachment. I have seen three unique samples so far (there are probably more) with VirusTotal detection rates of 2/54 [1] [2] [3] and the Malwr reports [4] [5] [6] show these documents communicating with:

IPs are allocated to: (Ivanov Vitaliy Sergeevich, Ukraine) (Private Person Anton Malyi, Ukraine) (PE Tetyana Mysyk, Ukraine)

As before, a binary geroin.exe is dropped which communicates with: (Hetzner, Germany)

The payload is the Dridex banking trojan. The recommended blocklist and sample MD5s can be found in this post.

1 comment:

Unknown said...

got it as well, mine was from Levi Mann and also i got a second email that looked like this..

To Whom It May Concern,

Please find attached an invoice relating to Penalty Charge Notice Number IA52773626 along with a copy of the contravention.

In order to prevent this fine from escalating further we have paid this fine on your behalf. Should you have any queries concerning these charges please don�t hesitate to contact me.

Payment for this invoice will be taken by Direct Debit 9 working days from the date of this email.

Please refer to page 2, point 3.6 in your Terms and Conditions for information on Traffic Offences.