Sponsored by..

Monday 11 January 2016

Malware spam: "Kaseya Invoice - 1ED0C068"

This fake financial email has a malicious attachment:

From:    Terry Cherry
Date:    11 January 2016 at 10:48
Subject:    Kaseya Invoice - 1ED0C068

Dear Accounts Payable,

Thank you for your purchase of Kaseya Licenses. Attached please find our invoice for your purchase under the K2 Software Catalog.

Our bank details for wire transfer are included on the attached invoice.

Should you wish to submit payment via credit card, please contact our customer service department (billing-cs@kaseya.com) for assistance with adding card details through our portal.


Please do not hesitate to let us know if you have any questions.

Thanks again for your patronage.

Sincerely,
Terry Cherry
Kaseya Customer Invoicing

Corporate: +1.415.694.5700 X4946
Email: CherryTerry66644@nyoda.com
The sender's name, references and attachments may vary. This appears to be a spam from Dridex 120, and it is a characteristic that there is a very large number of variants of the attachments. In this case, I analysed three different attachments with detection rate of about 2/55 [1] [2] [3] and which according to these Malwr reports [4] [5] [6], downloads a binary from the following locations:

5.189.216.10/montana/login.php
77.246.159.154/montana/login.php
109.234.39.40/montana/login.php

All of these IPs should be considered to be malicious:

5.189.216.10 (LLHost Inc, Netherlands)
77.246.159.154 (JSC Server, Russia)
109.234.39.40 (McHost.ru, Russia)


A binary named trap.exe with an MD5 of aab74722020e631147836fc009f9419d and a detection rate of 5/54 is downloaded. According to this Malwr report the executable phones home to:

78.47.119.93 (Hetzner, Germany)


The payload is the Dridex banking trojan.

Recommended blocklist:
78.47.119.93
5.189.216.10
77.246.159.154
109.234.39.0/24



1 comment:

Unknown said...

Sender email is :CherryTerry66644@nyoda.com?