From: Amber SmithThe sender's name varies, as does the reference number which matches the name of the attachment. I have seen three unique samples so far (there are probably more) with VirusTotal detection rates of 2/54 [1] [2] [3] and the Malwr reports [4] [5] [6] show these documents communicating with:
Date: 7 January 2016 at 10:38
Subject: Invoice 01147665 19/12 £4024.80
Hi,
Happy New Year to you !
Hope you had a lovely break.
Many thanks for the payment. There’s just one invoice that hasn’t been paid and doesn’t seem to have a query against it either.
Its invoice 01147665 19/12 £4024.80 P/O ETCPO 35094
Can you have a look at it for me please?
Thank-you !
Kind regards
Amber Smith
Credit Control
Finance Department
Ibstock Group
Supporting Ibstock, Ibstock-Kevington & Forticrete
-----------------------------------------------
( +44 (0)1530 257371
( VPN: 700 2371
6 +44 (0)1530 257379
193.201.227.12/ideal/jenny.php
91.223.88.205/ideal/jenny.php
176.103.62.108/ideal/jenny.php
IPs are allocated to:
176.103.62.108 (Ivanov Vitaliy Sergeevich, Ukraine)
91.223.88.205 (Private Person Anton Malyi, Ukraine)
193.201.227.12 (PE Tetyana Mysyk, Ukraine)
As before, a binary geroin.exe is dropped which communicates with:
78.47.119.93 (Hetzner, Germany)
The payload is the Dridex banking trojan. The recommended blocklist and sample MD5s can be found in this post.
1 comment:
got it as well, mine was from Levi Mann and also i got a second email that looked like this..
To Whom It May Concern,
Please find attached an invoice relating to Penalty Charge Notice Number IA52773626 along with a copy of the contravention.
In order to prevent this fine from escalating further we have paid this fine on your behalf. Should you have any queries concerning these charges please don�t hesitate to contact me.
Payment for this invoice will be taken by Direct Debit 9 working days from the date of this email.
Please refer to page 2, point 3.6 in your Terms and Conditions for information on Traffic Offences.
Regards,
Avery
Post a Comment