Sponsored by..

Thursday 21 January 2016

Malware spam: "Your Telephone Bill Invoices & Reports" / "The Billing Team" [noreply@callbilling.co.uk]

This fake financial spam has a malicious attachment.

From     "The Billing Team" [noreply@callbilling.co.uk]
Date     Thu, 21 Jan 2016 11:44:19 +0100
Subject     Your Telephone Bill Invoices & Reports

Please see the attached Telephone Bill & Reports.

Please use the contact information found on the invoice if you wish to contact your
service provider.

This message was sent automatically.

**********************************************************************************
If you have received this e-mail in error, please delete the message from your computer.

This e-mail and any attachments may contain information which is private and confidential
and should only be read by those persons to whom it is addressed. Your Call Billing
Provider accepts no liability for loss or damage suffered by any person arising from
the use of this e-mail.
The unauthorised use, disclosure or copying of this e-mail or any information contained
within, is strictly prohibited. Any views expressed in this e-mail are those of the
individual sender, except where the message states otherwise.
We take reasonable precautions to ensure our e-mails are virus free.  We recommend
that you subject any incoming e-mail to your own virus checking procedure.

Please see the full terms and conditions on your call billing providers web site.
These are subject to change and we recommend that you review them periodically.
I have only seen a single sample of this email, with an attachment Invoice_316103_Jul_2013.doc which has a detection rate of 2/53. The Malwr report for that document shows a download location of:

bolmgren.com/8h75f56f/34qwj9kk.exe

That is one of the locations found with this earlier spam run, and the payload is the Dridex banking trojan.

1 comment:

Nyebodnye said...

Payload locations - same as previous bot runs

hxxp://bolmgren.com/8h75f56f/34qwj9kk.exe
hxxp://return-gaming.de/8h75f56f/34qwj9kk.exe
hxxp://phaleshop.com/8h75f56f/34qwj9kk.exe