Sponsored by..

Thursday 17 March 2016

Malware spam: "Remittance Adivce" from random senders

This fake financial spam has a malicious attachment and poor spelling in the subject field.

From:    Booth.Garth19@idsbangladesh.net.bd
Date:    17 March 2016 at 09:17
Subject:    Remittance Adivce


Please find attached a remittance advice for payment made yo you today.

Please contact the accounts team on 020 2286 7847 or via reply email for any queries regarding this payment.

Kind Regards

Garth Booth
Sender names, contact number and attachment names vary, but I have seen just a single variant of the attachment with a VirusTotal detection rate of 1/55. The Malwr report for this sample sees a download from:

bakery.woodwardcounseling.com/michigan/map.php

This download location is almost certainly completely malicious, and is hosted at:

217.12.199.94 (ITL, Ukraine)

This dropped file has a detection rate of 3/56. That VirusTotal and this Malwr report indicate network traffic to:

38.64.199.33 (PSINet, Canada)
188.93.239.28 (DotSi, Portugal)


The payload is uncertain, but it could be the Dridex banking trojan.

UPDATE

The DeepViz analysis  also shows traffic to:

85.17.155.148 (Leaseweb, Netherlands)

Recommended blocklist:
217.12.199.94
38.64.199.33
188.93.239.28
85.17.155.148

No comments: