Malware spam: "Closing bill" / "MyBill [mybill.central@affinitywater.co.uk]"

This fake financial spam does not come from Affinity Water but is instead a simple forgery with a malicious attachment.

From     MyBill [mybill.central@affinitywater.co.uk]
Date     Fri, 04 Mar 2016 14:50:57 +0530
Subject     Closing bill

Dear customer

Please find attached a copy of closing bill as requested.


Kind Regards

Natasha Hawkes
Customer Relations Advisor

affinitywater.co.uk

_________________________________________________________________________

This e-mail
(including any attachments) is confidential and may also be legally privileged or
otherwise protected from disclosure. If you are not the intended recipient of this
e-mail or any parts of it please notify us by reply e-mail or by telephone on 01707
268 111 immediately on receipt and then delete the message from your system. You
should not disclose the contents to any other person, nor take copies nor use it
for any purposes and to do so could be unlawful. The presence of this footnote indicates:
this email message has been tested for the presence of known computer viruses, unless
the email has been encrypted (in part or full) wherein the email will not be checked
for computer viruses. All incoming and outgoing emails may be monitored in line with
current legislation. Affinity Water Limited (Company Number 02546950) is registered
in England and Wales having their registered office, at Tamblin Way, Hatfield, Hertfordshire,
AL10 9EZ. www.affinitywater.co.uk

_____________________________________________________________________________

Attached is a partly randomly-named file, for exampple 081155545_1735494_18836.xls - the first two numbers are random, the third is always "18836". So far I have seen just two variants of this (there may be more) with detection rates of about 5/56 [1] [2] which according to the Malwr reports [3]  [4] download a binary from the following locations:

prettymom.ru/system/logs/vbry73f34f.exe
desean.com.sg/system/logs/vbry73f34f.exe

This binary has a detection rate of 6/56. Analysis is pending, however this looks like the Dridex banking trojan.

UPDATE 1

The comments in the VirusTotal scan give some more download locations:

2.casino-engine.ru/games/megajack/vbry73f34f.exe
shop-bedep.com/system/logs/vbry73f34f.exe
17.rent-shops.ru/system/logs/vbry73f34f.exe

Curiously "Bedep" is the name of a trojan. These Hybrid Analysis reports [1] [2] [3] show malicious traffic to:

188.165.215.180 (OVH, France)

I strongly recommend that you block traffic to that IP.

UPDATE2

Some additional download locations and C&C servers to block, from another source (thank you!)

jean-daniel.com.ua/system/logs/vbry73f34f.exe
namkeendelights.com/system/logs/vbry73f34f.exe

Overall, some of these download locations look like good candidates for blocking, especially:

81.177.140.123 (Avguro Technologies Ltd, Russia)
210.245.90.206 (FPT Telecom Company, Vietnam)
89.184.72.57 (Internet Invest Ltd., Ukraine)

These additional C&C servers have been seen before:

78.108.93.186 (Majordomo LLC, Russia)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)

Recommended blocklist:
188.165.215.180
78.108.93.186
87.106.8.177
91.236.4.234
81.177.140.123
210.245.90.206
89.184.72.57