From: Marisol Barrett [BarrettMarisol04015@victimdomain.tld]
Date: 1 February 2016 at 08:39
Subject: Invoice 48014 from JKX OIL & GAS
Dear Customer,
Your invoice appears below. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Marisol Barrett
JKX OIL & GAS
=========================
From: Oswaldo Browning [BrowningOswaldo507@victimdomain.tld]
Date: 1 February 2016 at 09:38
Subject: Invoice 865272 from J P MORGAN PRIVATE EQUITY LTD
Dear Customer,
Your invoice appears below. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Oswaldo Browning
J P MORGAN PRIVATE EQUITY LTD
=========================
From: Pansy Haley [HaleyPansy95@victimdomain.tld]
Date: 1 February 2016 at 08:50
Subject: Invoice 95101 from HWANGE COLLIERY CO
Dear Customer,
Your invoice appears below. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Pansy Haley
HWANGE COLLIERY CO
=========================
From: Ruth Martinez [MartinezRuth43950@victimdomain.tld]
Date: 1 February 2016 at 08:51
Subject: Invoice 27051 from ESSENDEN PLC
Dear Customer,
Your invoice appears below. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Ruth Martinez
ESSENDEN PLC
The attachment is in the format INV19 - 865272.doc (it always starts with "INV19" and then has the fake reference number). There are at least three different versions (VirusTotal [1] [2] [3]).
Analysis is pending, however this is likely to be the Dridex banking trojan.
UPDATE 1
A different variant of the spam email is going on, which appears to have roughly the same payload:
From: Heather Mcfadden [McfaddenHeather71@victimdomain.tld]UPDATE 2
Date: 1 February 2016 at 10:09
Subject: Transaction and Payment Confirmation from HAYWARD TYLER GROUP PLC
Hello,
The attached document is a transaction payment confirmation from HAYWARD TYLER GROUP PLC in the amount of GBP 1,879.86.
Your transaction reference number is A3546F.
Kind Regards,
Heather Mcfadden
HAYWARD TYLER GROUP PLC
The Malwr analysis of three of the attachments [1] [2] [3] shows download locations of:
31.131.24.203/indiana/jones.php
31.41.45.23/indiana/jones.php
These IPs can be considered as malicious, and belong to:
31.131.24.203 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
31.41.45.23 (Relink LTD, Russia)
This drops a malicious binary with a detection rate of 2/53. This phones home to:
185.24.92.229 (System Projects, LLC, Russia)
This spam appears to be the Dridex banking trojan (botnet 120 perhaps).
Recommended blocklist:
185.24.92.229
31.131.24.203
31.41.45.23
No comments:
Post a Comment