Sponsored by..

Wednesday 2 March 2016

Malware spam spoofing "Hillsong Church London"

This rather confused spam comes with a subject saying one thing.. for example:

GREKA ENGINEERING & TECHNOLOGY LTD March Invoice #2875
LIMITLESS EARTH PLC March Invoice #75913
FALKLAND ISLANDS HLDGS March Invoice #58093
MULTI UNITS FRANCE March Invoice #6689
SHORE CAPITAL GROUP LTD March Invoice #1612

But the body text is from a church..

Hi there,

Please find the remittance advice for the payment made on the 19th Feb 2015 from
Hillsong Church London.

Please let me know if there are any queries.

Kind regards,

Joan Terry

The material contained in this email may be confidential, and may also be the subject
of copyright and/ or privileged information. If you are not the intended recipient,
any use, disclosure or copying of this document is prohibited. If you have received
this document in error, please advise the sender and delete the document.

This email communication does not create or vary any contractual relationship between
Hillsong and you. Internet communications are not secure and accordingly Hillsong
does not accept any legal liability for the contents of this message.

Please note that neither Hillsong nor the sender accepts any responsibility for viruses
and it is your responsibility to scan the email and any attachments.

Hillsong Church London
www.hillsong.co.uk http://www.hillsong.co.uk
Attached is either an Excel spreadsheet named in a style similar to Hillsong-C2E24.xls (VT results [1] [2] [3]) or a ZIP file with a similar name to Hillchurch-03234D.zip containing a script TR7433029032016.js or TR913740032016.js (VT results [4] [5]).

The Malwr reports are a mixed bunch with only the first three giving any data [1] [2] [3] [4] [5] showing download locations at:

oimedoaeklmrf.giftcardnanny.ca/nu2o3mk4/c987ah8j9ei1.php
eiadmeodeda.securalive.ca/8fjvimkel1/c987ah8j9ei1.php
doaemdpmekd.securalive.eu/8fjvimkel1/c987ah8j9ei1.php


In fact, all these locations are on the same server (and are the same binary), hosted on:

193.201.227.90 (PE Tetyana Mysyk, Ukraine)

According to VirusTotal, there are a few hijacked GoDaddy subdomains on that IP. This method is a little unusual for this type of attack.

Those Malwr reports and this Hybrid Analysis show the malware phoning home to:

24.172.94.181 (Time Warner Cable, US)

It isn't entirely clear what the payload is, but it is probably Dridex or possibly some form of ransomware.

Recommended blocklist:
193.201.227.90
24.172.94.181

No comments: