Sponsored by..

Monday 1 February 2016

Malware spam: Invoice 123456 from COMPANY NAME

This spam appears to originate from a variety of companies with different references. It comes with a malicious attachment.
From:    Marisol Barrett [BarrettMarisol04015@victimdomain.tld]
Date:    1 February 2016 at 08:39
Subject:    Invoice 48014 from JKX OIL & GAS

Dear Customer,

Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Marisol Barrett

JKX OIL & GAS

=========================

From:    Oswaldo Browning [BrowningOswaldo507@victimdomain.tld]
Date:    1 February 2016 at 09:38
Subject:    Invoice 865272 from J P MORGAN PRIVATE EQUITY LTD

Dear Customer,

Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Oswaldo Browning

J P MORGAN PRIVATE EQUITY LTD

=========================

From:    Pansy Haley [HaleyPansy95@victimdomain.tld]
Date:    1 February 2016 at 08:50
Subject:    Invoice 95101 from HWANGE COLLIERY CO

Dear Customer,

Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Pansy Haley

HWANGE COLLIERY CO


=========================

From:    Ruth Martinez [MartinezRuth43950@victimdomain.tld]
Date:    1 February 2016 at 08:51
Subject:    Invoice 27051 from ESSENDEN PLC

Dear Customer,

Your invoice appears below. Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Ruth Martinez

ESSENDEN PLC

The attachment is in the format INV19 - 865272.doc (it always starts with "INV19" and then has the fake reference number). There are at least three different versions (VirusTotal [1] [2] [3]).

Analysis is pending, however this is likely to be the Dridex banking trojan.

UPDATE 1

A different variant of the spam email is going on, which appears to have roughly the same payload:
From:    Heather Mcfadden [McfaddenHeather71@victimdomain.tld]
Date:    1 February 2016 at 10:09
Subject:    Transaction and Payment Confirmation from HAYWARD TYLER GROUP PLC

Hello,

The attached document is a transaction payment confirmation from HAYWARD TYLER GROUP PLC in the amount of GBP 1,879.86.

Your transaction reference number is A3546F.

Kind Regards,

Heather Mcfadden

HAYWARD TYLER GROUP PLC
UPDATE 2

The Malwr analysis of three of the attachments [1] [2] [3] shows download locations of:

31.131.24.203/indiana/jones.php
31.41.45.23/indiana/jones.php


These IPs can be considered as malicious, and belong to:

31.131.24.203 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
31.41.45.23 (Relink LTD, Russia)


This drops a malicious binary with a detection rate of 2/53. This phones home to:

185.24.92.229 (System Projects, LLC, Russia)

 This spam appears to be the Dridex banking trojan (botnet 120 perhaps).

Recommended blocklist:
185.24.92.229
31.131.24.203
31.41.45.23

No comments: