From: GS Toilet Hire [donotreply@sageone.com]I have seen two samples of this, both with an attachment named Sales_Invoice_SI-523_GS Toilet Hire.pdf.zip which contains a malicious Javascript file with a name like invoice_id6395788111.js. The two samples that I have seen have low detection rates [1] [2] containing some highly obfuscated scripts [3] [4] which according to these analyses [5] [6] [7] downloads a binary from one of the following locations:
Date: 3 February 2016 at 09:12
Subject: GS Toilet Hire - Invoice (SI-523) for £60.00, due on 28/02/2016
Good morning
Thank you for your business - we're pleased to attach your invoice in PDF. Please bear in mind that if we are in the area the price is reduced to £15+vat per visit.
Full details, including payment terms, are included.
If you have any questions, please don't hesitate to contact us.
Kind regards,
Linda Smith
Office, GS Toilet Hire
Direct enquiries
Glenn Johnson
07930 391 011
obstipatie.nu/43rf3dw/34frgegrg.exe
bjhaggerty.com/43rf3dw/34frgegrg.exe
(also www.ni-na27.wc.shopserve.jp/43rf3dw/34frgegrg.exe from this related spam run)
This type of download indicates that this is Dridex 220, it is unusual for it to be spammed out with a Javascript-in-ZIP format rather than a malicious Office macro. The binary has a detection rate of 5/49 and this Hybrid Analysis shows the malware phoning home to:
91.239.232.145 (Hostpro Ltd, Ukraine)
I strongly recommend that you block all traffic to that IP, and possibly the 91.239.232.0/22 block in which it resides.
UPDATE
The same spam is being sent out with a more traditional DOC attachment, Sales_Invoice_SI-523_GS Toilet Hire.doc which comes in at least two different variants (VirusTotal [1] [2]) which according to these Malwr reports [3] [4] downloads a binary from the following locations:
xinchunge.com/xinchunge.com/43rf3dw/34frgegrg.exe
taukband.com/43rf3dw/34frgegrg.exe
(also best-drum-set.com/43rf3dw/34frgegrg.exe from this later spam run)
This is a different binary from before, with a detection rate of 4/53. It still phones home to the same location.
1 comment:
Unfortunately my company has been infected.
Some users opened the word attachment and "Enabled content"
I don't know if this is an advantage but "Protected view" was on.
I noticed in one computer it added like 25 new DNS entries. I've deleted them manually but I wonder if there could be something else.
Any advise?
Thanks
Post a Comment