Sponsored by..

Tuesday 12 January 2016

Malware spam: "Payment Advice - 0002014343" / Bhavani Gullolla [bhavani.gullolla1@wipro.com]

This fake financial spam is not from Wipro but is instead a simple forgery with a malicious attachment.

From:    Bhavani Gullolla [bhavani.gullolla1@wipro.com]
Date:    12 January 2016 at 09:51
Subject:    Payment Advice - 0002014343

Dear Sir/Madam,

This is to inform you that we have initiated the electronic payment through our Bank.
Please find attached payment advice which includes invoice reference and TDS deductions if any.

Transaction Reference :
Vendor Code :9189171523
Company Code :WT01
Payer/Remitters Reference No :63104335
Beneficiary Details :43668548/090666
Paymet Method : Electronic Fund Transfer
Payment Amount :1032.00
Currency :GBP
Processing Date :11/01/2016

For any clarifications on the payment advice please mail us at  wipro.vendorhelpdesk@wipro.com OR
call Toll Free in India 1800-200-3199 between 9:00 am to 5:00 pm IST (Mon-Fri) OR contact person indicated in the purchase order.



Regards,
VHD Signature
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
The attachment is randomly-named in the format 9705977867.doc which I have seen in two different versions with detection rates of 5/54 [1] [2], and according to the Malwr reports [3] [4] they both download a malicious binary from:

hotpointrepair.info/u5y4g3/76u54g.exe

This download location is characteristic of the Dridex 220 botnet. The downloaded binary has a detection rate of 4/55 and this Malwr report shows network traffic to:

199.231.189.9 (Interserver Inc, US)

I strongly recommend that you block this IP address.

Payload MD5:
b3d8604fee5ae6091928486c1fb11625

Attachment MD5s (there are probably others!)
3a73b39a8f84f96d8f9c19b4b88080c7
8fa6a1d7daebb9244db8458d99a45b38



UPDATE

There is an additional download location of:


per-forms.com/u5y4g3/76u54g.exe

The payload has changed but still has similar characteristics to before [VirusTotal report / Malwr report].

Payload MD5:
aaf2070192032e4e4cde5e16d0d7fcce

2 comments:

Jokstar said...

Also seen at per-forms.com 192.186.224.34

Unknown said...

Good find :)