From payments [payments@wavenetuk.com]I have only seen a single sample of this with an attachment OutstandingStatement201602111650.js which has a VirusTotal detection rate of 0/53. The Malwr analysis shows that this script downloads an executable from:
Date Thu, 11 Feb 2016 15:14:59 +0530
Subject INT242343 Unpaid Invoice - Your Services May Be Suspended
PLEASE NOTE: THIS IS A NO REPLY EMAIL ACCOUNT
Dear Customer
Please find attached to this email your statement
You can view the invoices listed on our e-billing site at www.netbills.co.uk
If you have any queries regarding use of the e-billing site or this statement please
call us on 08444 12 7777.
Accounts Department
Wavenet Group
Incorporating - Titan Technology, Centralcom and S1 Network Services
Tel 08444127777
This email and its attachments may be confidential and are intended solely for the
use of the individual to whom it is addressed and should be considered private and
protected by law. Any views or opinions expressed are solely those of the author
and do not necessarily represent those of Wavenet Ltd or its subsidiaries. Wavenet
Ltd Registered in England No 3919664. Registered address: Friars Gate 2, 1011 Stratford
Road, Shirley, Solihull, West Midlands, B90 4BN. If you are not the intended recipient
of this email and its attachments, you must take no action based upon them, nor must
you copy or show them to anyone. Please contact the sender if you believe you have
received this email in error. Wavenet Ltd reserves the right to monitor email communications
through its networks.
This email and its attachments may be confidential and are intended solely for the
use of the individual to whom it is addressed and should be considered private and
protected by law. Any views or opinions expressed are solely those of the author
and do not necessarily represent those of Wavenet Ltd or its subsidiaries. If you
are not the intended recipient of this email and its attachments, you must take no
action based upon them, nor must you copy or show them to anyone. Please contact
the sender if you believe you have received this email in error. Wavenet Ltd reserves
the right to monitor email communications through its networks
gp-training.net/09u8h76f/65fg67n
There are probably a few other download locations. This binary has a detection rate of 2/54. The Malwr report also indicates that it phones home to:
87.229.86.20 (ZNET Telekom Zrt, Hungary)
I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan.
5 comments:
Thank you - thought it was dodgy, appreciate the advice
Thanks so much for the heads up warning!
Thank you, I received an email just one this one today!
How does one block traffic from the IP if they are not computer savy?
I saw this email and laughed, who sends an invoice in a zip folder to begin with! hahahahahahahahahahahahahahaha
Post a Comment