Sponsored by..

Tuesday, 16 February 2016

Malware spam: ATTN: Invoice J-06593788 from random companies

This fake financial spam does not come from Apache Corporation but instead is a simple forgery with a malicious attachment.
From:    June Rojas [RojasJune95@myfairpoint.net]
Date:    16 February 2016 at 09:34
Subject:    ATTN: Invoice J-06593788

Dear nhardy,

Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice.

Let us know if you have any questions.

We greatly appreciate your business!

June Rojas
Apache Corporation      www.apachecorp.com
Other versions of this spam may come from other corporations. In the single sample I have seen there is an attached file invoice_J-06593788.doc which has a VirusTotal detection rate of 5/54. Analysis is pending, however this is likely to be the Dridex banking trojan.


This Dridex run exhibits a change in behaviour from previous ones. I acquired three samples of the spam run and ran the Hybrid Analysis report on them [1] [2] [3] and it shows that the macro dowloads from one of the following locations:


Curiously, the binary downloaded from each location is different, with the following MD5s:


Each one phones home to a different location, the ones I have identified are: (McHost.ru, Russia) (One Telecom SRL, Moldova) (Ukrainian Internet Names Center, Ukraine)

There may be other samples with other behaviour.


It is possible that this is dropping ransomware, not Dridex. One other download location identified here:


This one has an MD5 of:


Detection rate is 5/53 but I do not yet know where this phones home to.


That last sample phones home to: (PE Astakhov Pavel Viktorovich, Ukraine)

according to this Hybrid Analysis.

Recommended blocklist: 


It appears that this is dropping some ransomware called "Locky" apparently by the makers of Dridex, according to this.

1 comment:

Jerry Chen said...

any ways to remove this thing?? we are getting hit pretty hard