Sponsored by..

Friday, 22 January 2016

Malware spam: "Message from KONICA_MINOLTA" / MFD / scanner / SKM_4050151222162800.doc

At the moment there is a heavy spam run pushing the Dridex banking trojan, pretending to be from a multifunction device or scanner.
Subject:    Message from KONICA_MINOLTA
Subject:    Message from MFD
Subject:    Message from scanner
The spam appears to come from within the victim's own domain, from one of the following email addresses:
MFD@victimdomain.tld
scanner@victimdomain.tld
KONICA_MINOLTA@victimdomain.tld
This is just a simple forgery. It doesn't mean that you organisation has been compromised.. it really is a very simple trick. In all cases the attachment is named SKM_4050151222162800.doc, which appears to come in three versions (VirusTotal [1] [2] [3]). The Malwr reports [4] [5] [6] indicate executable download locations at:

www.showtown-danceband.de/ghf56sgu/0976gg.exe
ausonia-feng-shui.de/ghf56sgu/0976gg.exe
gahal.cz/ghf56sgu/0976gg.exe


This binary has a detection rate of 1/54 and that VirusTotal report plus this Malwr report show it phoning home to:

192.241.207.251 (Digital Ocean Inc., US)

I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan, sent by botnet 220.


3 comments:

Padhraic said...

Great, thanks, received just this morning.

eny said...

Me too, from "scanner@hotmail".

Unknown said...

Yeah me to but to my google account
I was downloaded the zip file but when i see the type of file is " .js " this's to wierd for me after that i blocked quickly