Sponsored by..

Thursday 17 November 2016

Malware spam: "Sage Invoice [service@sage-invoices.com]" / "Outdated Invoice" leads to Trickbot

This fake financial spam leads to the Trickbot banking trojan.

From:    Sage Invoice [service@sage-invoices.com]
Date:    17 November 2016 at 10:54
Subject:    Outdated Invoice

This is a customer service e-mail from © Sage (UK) Limited to [redacted]
Sage Invoice Payments
Outdated Invoice

You have an outdated invoice from Sage Invoice Payments that needs your attention. To find out more details on this invoice, please see the enclosed document attached to this email.

The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies.

We have communicated this information with users as well, and we will continue to communicate with you through email as your transition continues.
This email was sent by: Sage UK Limited
NC1-002-08-25, Newcastle upon Tyne., North Park, NE13 9AA, United Kingdom

Privacy and Security
Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy. You can also learn how Sage UK Limited keeps your personal information secure and how you can help protect yourself.

Attached is a malicious Word document named SageInvoice.doc with a detection rate of 3/54. Hybrid Analysis shows malicious network traffic to:

substan.merahost.ru/petrov.bin  [] (Mulgin Alexander Sergeevich aka gmhost.com.ua, Ukraine)

A malicious file scsnsys.exe is dropped with a detection rate of 8/53.

The domain sage-invoices.com has been registered by criminals for this action, presumably to allow encrypted end-to-end communication. The no doubt fake WHOIS details are:

Registry Registrant ID: Not Available From Registry
Registrant Name: Antonio Padula
Registrant Organization: Weighpack Systems Inc
Registrant Street: 5605 Rue Cypihot
Registrant City: Saint Laurent
Registrant State/Province: Quebec
Registrant Postal Code: H4S 1R3
Registrant Country: CA
Registrant Phone: +1.5144243344
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: test@orasore.com

I recommend that you block traffic from that domain or check your filters to see who may have it.

Recommended blocklist:
sage-invoices.com [email]


Unknown said...

Please can you let me know what to do having opened the attached document in this email?
Would really appreciate you help. I am using a Mac

Jared said...

Another 3 domains registered by the same TA. Seeing activity on at least one of them so far: