Sponsored by..

Thursday 11 February 2016

Malware spam: "INT242343 Unpaid Invoice - Your Services May Be Suspended" / payments@wavenetuk.com

This spam does not come from Wavenet Group but is instead a simple forgery with a malicious attachment:

From     payments [payments@wavenetuk.com]
Date     Thu, 11 Feb 2016 15:14:59 +0530
Subject     INT242343 Unpaid Invoice - Your Services May Be Suspended

PLEASE NOTE:  THIS IS A NO REPLY EMAIL ACCOUNT

Dear Customer
        Please find attached to this email your statement
You can view the invoices listed on our e-billing site at www.netbills.co.uk
If you have any queries regarding use of the e-billing site or this statement please
call us on 08444 12 7777.


Accounts Department
Wavenet Group
Incorporating - Titan Technology, Centralcom and S1 Network Services
Tel 08444127777


This email and its attachments may be confidential and are intended solely for the
use of the individual to whom it is addressed and should be considered private and
protected by law. Any views or opinions expressed are solely those of the author
and do not necessarily represent those of Wavenet Ltd or its subsidiaries. Wavenet
Ltd Registered in England No 3919664. Registered address: Friars Gate 2, 1011 Stratford
Road, Shirley, Solihull, West Midlands, B90 4BN. If you are not the intended recipient
of this email and its attachments, you must take no action based upon them, nor must
you copy or show them to anyone. Please contact the sender if you believe you have
received this email in error. Wavenet Ltd reserves the right to monitor email communications
through its networks.

This email and its attachments may be confidential and are intended solely for the
use of the individual to whom it is addressed and should be considered private and
protected by law. Any views or opinions expressed are solely those of the author
and do not necessarily represent those of Wavenet Ltd or its subsidiaries. If you
are not the intended recipient of this email and its attachments, you must take no
action based upon them, nor must you copy or show them to anyone. Please contact
the sender if you believe you have received this email in error. Wavenet Ltd reserves
the right to monitor email communications through its networks
I have only seen a single sample of this with an attachment OutstandingStatement201602111650.js which has a VirusTotal detection rate of 0/53. The Malwr analysis shows that this script downloads an executable from:

gp-training.net/09u8h76f/65fg67n

There are probably a few other download locations. This binary has a detection rate of 2/54.  The Malwr report also indicates that it phones home to:

87.229.86.20 (ZNET Telekom Zrt, Hungary)

I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan.

5 comments:

Unknown said...

Thank you - thought it was dodgy, appreciate the advice

Unknown said...

Thanks so much for the heads up warning!

Flights of Imagination said...

Thank you, I received an email just one this one today!

Unknown said...

How does one block traffic from the IP if they are not computer savy?

Vazolo said...

I saw this email and laughed, who sends an invoice in a zip folder to begin with! hahahahahahahahahahahahahahaha