From: FSPRD@covance.com
Reply-To: donotreply@covance.com
Date: 21 April 2016 at 12:03
Subject: Dispatched Purchase Order
Purchase Order, 11300 / 0006432242, has been Dispatched. Please detach and print the attached Purchase Order.
***Please do not respond to this e-mail as the mailbox is not monitored.
________________________________
Confidentiality Notice: In accordance with Covance's Data Classification Policy, this email, including attachment(s), is classified as Confidential or Highly Confidential. This e-mail transmission may contain confidential or legally privileged information that is intended only for the individual or entity named in the e-mail address. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or dissemination of the content of this e-mail is strictly prohibited.
If you have received this e-mail transmission in error or this email is not intended for you, please delete or destroy all copies of this message in your possession and inform the sender. Thank you.
Attached is a file with a name matching the reference in the email, e.g. 0006432242.tgz which is a compressed archive file, containing in turn another archive file with a name like 5611205-19.04.2016.tar and it that archive is a malicious script named in an almost identical format the the TAR file (e.g. 5611205-19.04.2016.js). This script has a typical detection rate of 8/56.
So far I have seen two versions of this script, downloading from:
mountainworldtreks.com/9uhg5vd3
secondary36.obec.go.th/9uhg5vd3
The downloaded binary is the same in both cases. This Hybrid Analysis and DeepViz Analysis indicate network traffic to:
193.90.12.221 (MultiNet AS, Norway)
194.116.73.71 (Topix, Italy)
64.76.19.251 (Impsat, Argentina)
200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)
The payload appears to be the Dridex banking trojan.
Recommended blocklist:
193.90.12.221
194.116.73.71
64.76.19.251
200.159.128.144
17 comments:
I would recommend everyone to use a vpn service especially to bloggers who need to access the to access their highly fragile information sometimes and access of developer control.
A good example would be purevpn apps on iOS and Android both that let you surf anything you want securely and anonymously.
I've stupidly opened this file, was waiting for a shipment that I had just made payment for so assumed this was the confirmation.
Is there anything I can do to counteract the file? Should I do a full system format to be safe?
thank you in advance
just pray
@wowbag - the lowest risk approach is to nuke the system and rebuild, but it may be that your system isn't even infected if you are not in target country (presumably UK). Anti-virus software may take a few days to catch up, but even then it can be a tricky bugger to get rid of.
You could try: http://howtoremove.guide/dridex-virus-malware-removal-trojan/
thank you - I use mac - before I wipe it clean, is this malware for mac?
The js files within the uncompressed file were opened up with safari - not a microsoft office file.
Sorry, I'm a complete novice and I am usually very suspicious of all files contained in emails, however this one caught me off guard as it came perfect timing to confirming shipment. Thanks
@wowbag: this is Windows malware. Your Mac will be safe.
@wowbag.. Wowbagger the Infinitely Prolonged by any chance? ;)
I received this email aswell today, I ran malwarebytes within an hour of previewing the file. Am I safe? Is there anything these I can do? I'm on a windows desktop..
I live in Canada, not the UK or United states if that helps.
Thanks Conrad, that's a relief. Unfortunately no link to wowbagger - - Someone once described a handbag on eBay as a 'wowbag' - it had a funny ring to it, so wound up using it - had no idea Wowbagger even existed until now. Cheers!
Hi guys, I'm pretty useless with tech and saw this article and panicked a little. I opened the attachment on my iPhone - am I safe? Thanks in advance
@Ben, it impacts Windows PCs only.
@Joe, it *may* be targeting the UK only. But I wouldn't bet my bank account on it.
http://halkaranepal.com/9uhg5vd3
http://lab-pengairan.ub.ac.id/9uhg5vd3
http://malungtreks.com/9uhg5vd3
http://pinplern.com/9uhg5vd3
http://secondary36.obec.go.th/9uhg5vd3
http://uukbpp.ft.ub.ac.id/9uhg5vd3
@Conrad I just previewed the file and it opened another tab on chrome. I did not download the file... would be fine? I ran malwarebytes, norton security and avira scans today and yesterday aswell.
Great blog and good information thanks.
COURIER delivery services UK
Post a Comment