From rick.adrio@booles.co.ukAttached is a file pm51A.docm which I have seen two versions of (VirusTotal results [1] [2]). According to these Malwr reports [3] [4] and various other sources the macro in the document downloads from:
Date Tue, 08 Mar 2016 15:58:07 +0530
Subject Order 1307605 (Acknowledgement)
Please find document attached
CONFIDENTIALITY AND DISCLAIMER NOTICE:
This email contains proprietary information which may be legally privileged. It is
for the intended recipient only. If an addressing or transmission error has misdirected
this email, please notify the author by replying to this email. If you are not the
intended recipient you must not use, disclose, distribute, copy, print, or rely on
this email and delete all copies. Boole's Tools and Pipe Fittings Ltd is a private
company limited by shares. Registered in the United Kingdom No. 683745. Registered
office: PO Box 1586, Gemini One, John Smith Drive, Oxford Business Park South, Oxford,
OX4 9JF, United Kingdom.
stopmeagency.free.fr/9uj8n76b5.exe
reclamus.com/9uj8n76b5.exe
lhs-mhs.org/9uj8n76b5.exe
izzy-cars.nl/9uj8n76b5.exe
kyudentyumi.wekyudentyumi.web.fc2.com/9uj8n76b5.exe
The dropped binary has changed from earlier and has a detection rate of 2/55, it phones home to the same IP address as seen in this campaign. It appears to be the Dridex banking trojan.
2 comments:
We have all .doc,.zip,.docm attachments blocked completely that are coming in, but this one slipped through and have no idea how. We've blocked other .docm attachemtns, so it is working and I send some samples in as tests to see if its still working and it is.
Is there anything different with this one that might have got it through out attachment blocks?
Post a Comment