From Alison Smith [ASmith056@jtcp.co.uk]
Date Thu, 04 Feb 2016 10:52:21 +0300
Subject "January balance £785"
Hi,
Thank you for your recent payment of £672.
It appears the attached January invoice has been missed off of your payment. Could
you please advise when this will be paid or if there is a query with the invoice?
Regards
Alison Smith
Assistant Accountant
Registered in Scotland 29216
14 Carnoustie Place
Glasgow G5 8PB
Tel: 0141 429 1094
www.jtcp.co.uk
P Save Paper - Do you really need to print this e-mail?
The poor company being spoofed has already been hit by this attack recently [1] [2]. The email address of the sender varies from message to message.
Attached is a file IN161561-201601.js which comes in at least five different versions (VirusTotal [1] [2] [3] [4] [5]). This is a highly obfuscated script that looks like this [pastebin] and automated analysis of the various scripts [6] [7] [8] [9] [10] [11] [12] [13] shows that the macro downloads from the following locations (there may be more):
ejanla.co/43543r34r/843tf.exe
cafecl.1pworks.com/43543r34r/843tf.exe
This binary has a detection rate of 2/52 and phones home to:
62.76.191.108 (Clodo-Cloud / IT-House, Russia)
Note that the whole 62.76.184.0/21 block is a haven for malware, but it does also have some legitimate Russian customers. You might want to consider blocking the entire range if your users don't need to visit Russian websites. The payload is the Dridex banking trojan, and although it is unusual to see a plain .js file spammed out like this, it is consistent with botnet 220.
No comments:
Post a Comment