Sponsored by..

Showing posts with label Google Drive. Show all posts
Showing posts with label Google Drive. Show all posts

Thursday, 18 June 2015

Malware spam: "NOTA FISCAL ELETRÔNICA COD. 6Uhrae.088693" / "sac.contact4e74974737@bol.com.br"

These Portuguese-language spam pretends to be some sort of banking invoice aim, but instead leads to malware hosted on Google Drive. The target appears to be users in Brazil.

From:    sac.contact4e74974737@bol.com.br
To:    mariomarinho@uol.com.br
Date:    18 June 2015 at 08:46
Subject:    NOTA FISCAL ELETRÔNICA COD. 6Uhrae.088693
Signed by:    bol.com.br

Olá.
Estamos encaminhando o LINK para download da nota fiscal eletrônica.
https://cfb53a79c1679ed75e40a391fa21b9b359784781.googledrive.com/host/[redacted]

Caso tenha alguns dos dados errados favor nos retorne no email nfe@jmcomercio.com.br.

 ATT, DANI AIRES DP.FINANCEIRO

18/06/15 :
04:46:18.161 :
''8636055042''WTg9R9cng3hYUD''RYkSkcFpJs''
Por favor, não "responda" esta mensagem.

The reference numbers and sender change slightly in each version.

I've seen three samples before, each one with a different download location [a list is here] which leads to a ZIP file named NFe_0185189710250029301785.zip which in turn contains a malicious executable NFe_0185189710250029301785.exe which has a VirusTotal detection rate of 8/57. Comments in that report indicate that this may be the Spy.Banker trojan.

The Malwr report indicates that it downloads components from the following locations:

http://donwup2015.com.br/arq/point.php
http://tynly2015.com.br/upt/ext.zlib

The Hybrid Analysis report  also has some other details.

These sites are hosted on:

108.167.188.249 (WebsiteWelcome, US)
187.17.111.104 (Universo Online, Brazil)

The VirusTotal report for both these IPs [1] [2] indicates a high level of badness, indicating that they should be blocked.

Furthermore, Malwr shows that it drops a file with a detection rate of 2/57. As yet, I have only tested this on Malwr and it fails to run.

Recommended blocklist:
108.167.188.249
187.17.111.104

MD5s:
71070bc5e6b5c03c2e1d1ef4563c7b94
b969376c85d4e7f1a94ca3a2e416792e