From: Milan Bell [Milan.Bell5@viuz-en-sallaz.fr]The rather rude pitch here is a canny bit of social engineering, aimed to make you open the link without clicking. I have only seen one sample of this at present and I guess that the details vary from email to email. In this case the attachment was called pastdue_tovictimdomain.tld340231.zip containing a malicious script pastdue60121342016.js.
Date: 21 April 2016 at 17:45
Subject: FW: Latest order delivery details
Good morning!
Hope you are good.
Yesterday and the day before my colleague (Glover Hector) sent you a request regarding the invoice INV_6325-2016-victimdomain.tld past due.
I kindly ask you to give us a reply finally. We're getting no answers from you. Please stop ignoring invoice requests.
Many thanks and good luck
Milan Bell
DORIC NIMROD AIR ONE LTD
tel. 443-682-9021
This script has a VirusTotal detection rate of just 1/56. The Malwr report and Hybrid Analysis for this show it downloading a malicious binary from:
trendmicro.healdsburgdistricthospital.com/RIB/assets.php
Cheekily the URL references a well-known security company. The domain it is using is a hijacked GoDaddy domain, and the download location is actually hosted at:
176.103.56.30 (PE Ivanov Vitaliy Sergeevich / Xserver.ua, Ukraine)
You can be that this is a malicious server and I recommend blocking it. This script downloads a binary named alarm.exe which has a detection rate of 4/56. The Hybrid Analysis for this sample shows network connections to:
103.245.153.154 (OrionVM, Australia)
176.9.113.214 (Hetzner, Germany)
210.245.92.63 (PT Telecom Company, Vietnam)
23.249.1.171 (Datacate , US)
It is not clear what the payload is, but there are indications it is the Dridex banking trojan.
Recommended blocklist:
176.103.56.30
103.245.153.154
176.9.113.214
210.245.92.63
23.249.1.171
No comments:
Post a Comment