From documents@dmb-ltd.co.ukAttached is a malicious document named MX62EDO 10.02.2016.doc. I haven't had time to analyse these myself, but a trusted source (thank you) says that there are three different variants of documents, downloading a malicious executable from the following locations:
Date Wed, 10 Feb 2016 11:12:41 +0200
Subject Emailing: MX62EDO 10.02.2016
Your message is ready to be sent with the following file or link
attachments:
MX62EDO 10.02.2016 SERVICE SHEET
Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your e-mail
security settings to determine how attachments are handled.
calflytech.com/09u8h76f/65fg67n
g-t-c.co.uk/09u8h76f/65fg67n
opoai.com/09u8h76f/65fg67n
This drops an executable with a VirusTotal detection rate of 6/55. This malware calls back to the following IPs:
87.229.86.20 (ZNET Telekom Zrt, Hungary)
50.56.184.194 (Rackspace, US)
144.76.73.3 (Hetzner, Germany)
The payload is the Dridex banking trojan. Some chatter I have seen indicates that this has been hardened against analysis.
Recommended blocklist:
87.229.86.20
50.56.184.194
144.76.73.3
1 comment:
Got one myself, today, in (March 2) my in-box. ... sender is "documents@[mydomain].com", but there's no such email address at that domain (and I should know, since I own and run it!). Topic is "Emailing: MX62EDO 01.03.2016." Attachment is "MX62EDO201603015669.zip". Didn't un-zip it (duh). Text says "scanned by Avast" but I don't use Avast. MBAM Anti-Malware Bytes and Windows Defender, do NOT find this item to be problematic. Hope they update their definitions soon.
Post a Comment