From: Interparcel [bounce@interparcel.com]Attached is a randomly-named document that matches the reference in the email (e.g. Shipping Labels (620486055838).doc) of which I have seen two variants (VirusTotal results [1] [2]). These two Malwr reports [3] [4] show Dridex-like download locations at:
Date: 17 March 2016 at 08:51
Subject: Interparcel Documents
Your Interparcel collection has been booked and your documents are ready.
There is a document attached to this email called Shipping Labels (620486055838).doc.
Please open and print this attachment and cut out the waybill images. They must be attached to your parcels before the driver arrives.
Thank you for booking with Interparcel.
gooddrink.com.tr/wp-content/plugins/hello123/56h4g3b5yh.exe
ziguinchor.caravanedesdixmots.com/wp-content/plugins/hello123/56h4g3b5yh.exe
The detection rate for the binary is 5/57. This DeepViz report on the binary shows network connections to:
195.169.147.26 (Culturegrid.nl, Netherlands)
64.76.19.251 (Level 3, US / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
188.40.224.78 (Hetzner / NoTaG Community, Germany)
As mentioned before, these characteristics look like the Dridex banking trojan.
Recommended blocklist:
195.169.147.26
64.76.19.251
91.236.4.234
188.40.224.78
No comments:
Post a Comment