Sponsored by..

Thursday, 21 April 2016

Malware spam: "Dispatched Purchase Order" / FSPRD@covance.com

This fake financial spam does not come from Covance but is instead a simple forgery with a malicious attachment:

From:    FSPRD@covance.com
Reply-To:    donotreply@covance.com
Date:    21 April 2016 at 12:03
Subject:    Dispatched Purchase Order

Purchase Order, 11300 / 0006432242,  has been Dispatched.  Please detach and print the attached Purchase Order.

***Please do not respond to this e-mail as the mailbox is not monitored.
________________________________
Confidentiality Notice: In accordance with Covance's Data Classification Policy, this email, including attachment(s), is classified as Confidential or Highly Confidential. This e-mail transmission may contain confidential or legally privileged information that is intended only for the individual or entity named in the e-mail address. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or dissemination of the content of this e-mail is strictly prohibited.

If you have received this e-mail transmission in error or this email is not intended for you, please delete or destroy all copies of this message in your possession and inform the sender. Thank you.

Attached is a file with a name matching the reference in the email, e.g. 0006432242.tgz which is a compressed archive file, containing in turn another archive file with a name like 5611205-19.04.2016.tar and it that archive is a malicious script named in an almost identical format the the TAR file (e.g. 5611205-19.04.2016.js). This script has a typical detection rate of 8/56.

So far I have seen two versions of this script, downloading from:

mountainworldtreks.com/9uhg5vd3
secondary36.obec.go.th/9uhg5vd3


The downloaded binary is the same in both cases. This Hybrid Analysis and DeepViz Analysis indicate network traffic to:

193.90.12.221 (MultiNet AS, Norway)
194.116.73.71 (Topix, Italy)
64.76.19.251 (Impsat, Argentina)
200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)


The payload appears to be the Dridex banking trojan.

Recommended blocklist:
193.90.12.221
194.116.73.71
64.76.19.251
200.159.128.144

17 comments:

Unknown said...


I would recommend everyone to use a vpn service especially to bloggers who need to access the to access their highly fragile information sometimes and access of developer control.
A good example would be purevpn apps on iOS and Android both that let you surf anything you want securely and anonymously.

wowbag said...

I've stupidly opened this file, was waiting for a shipment that I had just made payment for so assumed this was the confirmation.
Is there anything I can do to counteract the file? Should I do a full system format to be safe?
thank you in advance

Unknown said...

just pray

Conrad Longmore said...

@wowbag - the lowest risk approach is to nuke the system and rebuild, but it may be that your system isn't even infected if you are not in target country (presumably UK). Anti-virus software may take a few days to catch up, but even then it can be a tricky bugger to get rid of.

Paul said...

You could try: http://howtoremove.guide/dridex-virus-malware-removal-trojan/

wowbag said...

thank you - I use mac - before I wipe it clean, is this malware for mac?
The js files within the uncompressed file were opened up with safari - not a microsoft office file.
Sorry, I'm a complete novice and I am usually very suspicious of all files contained in emails, however this one caught me off guard as it came perfect timing to confirming shipment. Thanks

Conrad Longmore said...

@wowbag: this is Windows malware. Your Mac will be safe.

Conrad Longmore said...

@wowbag.. Wowbagger the Infinitely Prolonged by any chance? ;)

joe said...

I received this email aswell today, I ran malwarebytes within an hour of previewing the file. Am I safe? Is there anything these I can do? I'm on a windows desktop..

joe said...
This comment has been removed by the author.
joe said...

I live in Canada, not the UK or United states if that helps.

wowbag said...

Thanks Conrad, that's a relief. Unfortunately no link to wowbagger - - Someone once described a handbag on eBay as a 'wowbag' - it had a funny ring to it, so wound up using it - had no idea Wowbagger even existed until now. Cheers!

Unknown said...

Hi guys, I'm pretty useless with tech and saw this article and panicked a little. I opened the attachment on my iPhone - am I safe? Thanks in advance

Conrad Longmore said...

@Ben, it impacts Windows PCs only.
@Joe, it *may* be targeting the UK only. But I wouldn't bet my bank account on it.

DK said...

http://halkaranepal.com/9uhg5vd3
http://lab-pengairan.ub.ac.id/9uhg5vd3
http://malungtreks.com/9uhg5vd3
http://pinplern.com/9uhg5vd3
http://secondary36.obec.go.th/9uhg5vd3
http://uukbpp.ft.ub.ac.id/9uhg5vd3

joe said...

@Conrad I just previewed the file and it opened another tab on chrome. I did not download the file... would be fine? I ran malwarebytes, norton security and avira scans today and yesterday aswell.

Unknown said...

Great blog and good information thanks.
COURIER delivery services UK