From: June Rojas [RojasJune95@myfairpoint.net]Other versions of this spam may come from other corporations. In the single sample I have seen there is an attached file invoice_J-06593788.doc which has a VirusTotal detection rate of 5/54. Analysis is pending, however this is likely to be the Dridex banking trojan.
Date: 16 February 2016 at 09:34
Subject: ATTN: Invoice J-06593788
Dear nhardy,
Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice.
Let us know if you have any questions.
We greatly appreciate your business!
June Rojas
Apache Corporation www.apachecorp.com
UPDATE 1
This Dridex run exhibits a change in behaviour from previous ones. I acquired three samples of the spam run and ran the Hybrid Analysis report on them [1] [2] [3] and it shows that the macro dowloads from one of the following locations:
www.southlife.church/34gf5y/r34f3345g.exe
www.iglobali.com/34gf5y/r34f3345g.exe
www.jesusdenazaret.com.ve/34gf5y/r34f3345g.exe
Curiously, the binary downloaded from each location is different, with the following MD5s:
CBE75061EB46ADABC434EAD22F85B36E
B06D9DD17C69ED2AE75D9E40B2631B42
FB6CA1CD232151D667F6CD2484FEE8C8
Each one phones home to a different location, the ones I have identified are:
109.234.38.35 (McHost.ru, Russia)
86.104.134.144 (One Telecom SRL, Moldova)
195.64.154.14 (Ukrainian Internet Names Center, Ukraine)
There may be other samples with other behaviour.
UPDATE 2
It is possible that this is dropping ransomware, not Dridex. One other download location identified here:
www.villaggio.airwave.at/34gf5y/r34f3345g.exe
This one has an MD5 of:
1FD40A253BAB50AED41C285E982FCA9C
Detection rate is 5/53 but I do not yet know where this phones home to.
UPDATE 3
That last sample phones home to:
91.195.12.185 (PE Astakhov Pavel Viktorovich, Ukraine)
according to this Hybrid Analysis.
Recommended blocklist:
109.234.38.0/24
86.104.134.128/25
195.64.154.14
91.195.12.185
UPDATE 4
It appears that this is dropping some ransomware called "Locky" apparently by the makers of Dridex, according to this.
1 comment:
any ways to remove this thing?? we are getting hit pretty hard
Post a Comment