Sponsored by..

Tuesday 8 March 2016

Malware spam: Pay_Advice_Vendor_0000300320_1000_for_03.03.2016 / Accounts Payable [vendoramendments@yorkshirewater.co.uk]

This fake financial spam does not come from Yorkshire Water but is instead a simple forgery with a malicious attachment.

From     Accounts Payable [vendoramendments@yorkshirewater.co.uk]
Date     Tue, 08 Mar 2016 10:32:52 +0200
Subject     Pay_Advice_Vendor_0000300320_1000_for_03.03.2016

-----------------------------------------

Spotted a leak?
If you spot a leak please report it immediately. Call us on 0800 57 3553 or go to
http://www.yorkshirewater.com/leaks

Get a free water saving pack
Don't forget to request your free water and energy saving pack, it could save you
money on your utility bills and help you conserve water. http://www.yorkshirewater.com/savewater

The information in this e-mail, and any files transmitted with it, is confidential
and may also be legally privileged. The contents are intended solely for the addressee
only and are subject to the legal notice available at http://www.keldagroup.com/email.htm.
This email does not constitute a binding offer, acceptance, amendment, waiver or
other agreement, or create any obligation whatsoever, unless such intention is clearly
stated in the body of the email. If you are not the intended recipient, please return
the message by replying to it and then delete the message from your computer. Any
disclosure, copying, distribution or action taken in reliance on its contents is
prohibited and may be unlawful.

Yorkshire Water Services Limited
Registered Office Western House, Halifax Road, Bradford, BD6 2SZ
Registered in England and Wales No 2366682
I have only seen a single sample with an attachment named Pay_Advice_Vendor_0000300320_1000_for_03.03.2016.PDF.ZIP which contains a randomly-named malicious script with a detection rate of 3/54.

According to the Malwr report and Hybrid Analysis on this sample, it downloads a malicious binary from:

lhs-mhs.org/9uj8n76b5.exe

This binary has a detection rate of 2/54 and all those reports indicate that it phones home to:

38.64.199.3 (PSINet, Canada)

I recommend that you block traffic to that IP. The Malwr report on the dropped binary is inconclusive, but it looks like the Dridex banking trojan.

No comments: