Sponsored by..

Wednesday 27 January 2016

Malware spam: "New Order" / Michelle Ludlow [Michelle.Ludlow@dssmith.com]

This fake financial spam does not come from DS Smith Plc, but is instead a simple forgery with a malicious attachment.

From     Michelle Ludlow [Michelle.Ludlow@dssmith.com]
Date     Wed, 27 Jan 2016 17:27:22 +0800
Subject     New Order

Hi

Please see attached for tomorrow.

Thanks
Michelle Ludlow
Customer Services Co-Ordinator - Packaging Services

Packaging Division
Dodwells Road, Hinckley LE10 3BX, United Kingdom
T +44 (0)1455 892939 F  +44 (0)1455 892924
michelle.ludlow@dssmith.com
www.dssmith.com

This e-mail message is intended solely for the person to whom it is addressed and
may contain confidential or privileged information. If you have received it in error,
please notify us immediately and destroy this e-mail and any attachments. In addition,
you must not disclose, copy, distribute or take any action in reliance on this e-mail
or any attachments. Any views or opinions presented in this e-mail are solely those
of the author and do not necessarily represent those of the company. E-mail may be
susceptible to data corruption, interception, unauthorised amendment, viruses and
unforeseen delays, and we do not accept liability for any such data corruption, interception,
unauthorised amendment, viruses and delays or the consequences thereof. Accordingly,
this e-mail and any attachments are opened at your own risk. DS Smith Plc, registered
in England and Wales (company number 1377658), with its registered office at 350
Euston Road, London, NW1 3AX.
So far I have seen two different variants of the attachment doc4502094035.doc (VirusTotal [1] [2]) which according to these Malwr reports [3] [4] download a malicious executable from the following locations:

vinagps.net/54t4f4f/7u65j5hg.exe
trendcheckers.com/54t4f4f/7u65j5hg.exe


This binary has a detection rate of 5/53. Those two Malwr reports and the VirusTotal report show the malware phoning home to:

119.160.223.115 (Loxley Wireless Co. Ltd., Thailand)

I strongly recommend that you block traffic to that IP. The payload is probably the Dridex banking trojan and this looks consistent with botnet 220 activity.

1 comment:

security said...

we 've seen versions with paylod locations:
www.hartrijders[.]com/54t4f4f/7u65j5hg.exe
grudeal[.]com/54t4f4f/7u65j5hg.exe
www.cityofdavidchurch[.]org/54t4f4f/7u65j5hg.exe


Cheers,
D.