Sponsored by..

Wednesday 2 March 2016

Malware spam: "ZYL Invoice" / "Outstanding Invoice" / "Sales Invoice"

These randomly-generated financial spam emails come with a malicious attachment:

From:    Buckminster U. Petty
Date:    2 March 2016 at 07:55
Subject:    Outstanding Invoice

Please check the receipt attached to this message. The Transaction will be posted on your account within 48 hours.

----------

From:    Astra B. Fuller
Date:    2 March 2016 at 08:08
Subject:    Fwd: ZYL Invoice

Please find the payment details attached to this message. The Transfer should appear on your account in 2 days.

----------
From:    Audrey U. Oneil
Date:    2 March 2016 at 07:34
Subject:    Re: Sales Invoice

Please review the invoice attached to this message. The Transfer should appear on your bank in 48 hours.

Attached is a randomly-named file with an RTF extension which is actually a DOCX file in disguise. I have seen three different attachments with detection rates of 1/55 [1] [2] [3] and the Malwr reports for those [4] [5] [6] show the macro contained within downloading from the following locations:

thevillagelounge.nl/e.jpg?LnRiNLIoPC3=55
creeko.com/d.jpg?GIk1nRWM0r27m5Ss=50
creeko.com/d.jpg?GIk1nRWM0r27m5Ss=8


The VirusTotal results for the two unique binaries dropped are 3/55 [1] [2] but automated analysis [3] [4] is inconclusive. It looks rather like ransomware, but I cannot confirm this.

No comments: