Sponsored by..

Friday 4 March 2016

Malware spam: "Remittance" from random companies with .rtf attachment

This fake financial spam appears to come from random companies. The body text is similar in call cases.

Sample 1:
From:    Ignacio - Floris of London
Date:    4 March 2016 at 09:42
Subject:    Remittance


Dear Sir/Madam,

I hope you are well. I am writing you to let you know that total amount qualified in the contract has been sent to your bank account on the 3rd of March at 14 through BACS payment system and should reach the destination (beneficiary's) account within 3 working days.
To see full payment details please refer to the remittance advice note attached to the letter.

Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.

Ignacio Knox
Accounts Payable

Sample 2:

From:    Audra - ECLECTIC BAR GRP PLC
Date:    4 March 2016 at 09:48
Subject:    Remittance

Dear Sir/Madam,

Hope you are OK. I am writing you to let you know that entire amount specified in the contract has been paid into your bank account on the 1st of March at 16 over BACS payment system and should reach the destination (beneficiary's) account within 3 working days.
To see full payment details please refer to the remittance advice note in the attachment.

Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.

Audra Pratt
Accounts Payable

Attached is a file named in a format similar to rem.advice-6430760513.rtf or invoice-9200564788.rtf. Detection rates are pretty low [1] [2] [3] and the Malwr reports are inconclusive [4] [5] [6] although I suspect the attachment itself may be malformed. Further analysis is pending.

UPDATE

These Hybrid Analysis reports  [1] [2] [3] show the file downloading a malicious binary from one of the following fruit-flavoured domains:

wildberry.markettimingintelligence.com/zalupa/kurva.php
raspberry.diversified-capital-management.com/zalupa/kurva.php

This file is dropped as %TEMP%\sdjgbcjkds.exe and both those sites are hosted on:

31.131.24.76 (PE Skurykhin Mukola Volodumurovuch, Ukraine)

Along with another domain of strawberry.reactionpointtimingindicator.com. All of these are hijacked GoDaddy domains.

The Malwr report for the executable shows it communicating with:

24.172.94.181 (Time Warner, US)

This is the same IP as seen here which Sophos identified as being Dridex.  

Recommended blocklist:
31.131.24.76
24.172.94.181 

1 comment:

Boroladcraig said...

Received one today from Howell.Shari687@marketoneweb.com but showing as Shari - PLAZA CENTERS NV.

Dear Sir/Madam,

I hope you are well. Im writing you to let you know that entire amount qualified in the contract has been paid into your bank account on the 1st of March at 17 by means of BACS payment system and should reach the destination (beneficiary's) account within 3 working days.
To see full payment details please refer to the remittance advice note attached to the letter.

Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.

Shari Howell
Accounts Manager

rtf number is 3387227041