From: Darius GreenI have personally only seen two samples so far with detection rates of 2/55 [1] [2] . These two Malwr reports [3] [4] plus some private sources indicate that the attachments download from the following locations:
Date: 12 January 2016 at 09:33
Subject: Lattitude Global Volunteering - Invoice - 3FAAB65
Dear customer,
Please find attached a copy of your final invoice for your placement in Canada.
This invoice needs to be paid by the 18th January 2016.
Due to recent increases on credit card charges, we prefer that you make a payment for your invoice on a bank transfer our bank details are.
You must provie your invoice number or account reference when you make the payment in order for us to allocate the payment to your account.
Account Name: Lattitude Global Volunteering
Bank: Barclays Bank
Sort Code: 20-71-03
Account No. 20047376
IBAN: GB13BARC20710320047376
SWIFBIC: BARCGB22
Kind regards
Luis Robayo
Accounts Department
Lattitude Global Volunteering
T: +44 (0) 118 956 2903
finance@lattitude.org.uk
WWW.lattitude.org.uk
Visit us on Facebook
Follow us on Twitter
Lattitude Global Volunteering is a UK registered international youth development charity (No. 272761), a company limited by guarantee (No. 01289296) and a member of BOND (British Overseas NGOs for Development).
31.131.20.217/shifaki/indentification.php
185.125.32.39/shifaki/indentification.php
5.34.183.41/shifaki/indentification.php
5.149.254.84/shifaki/indentification.php
This is characteristic of spam sent by the Dridex 120 botnet. All the IPs can be considered to be malicious and should be blocked.
31.131.20.217 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
185.125.32.39 (Sembol Internet Hizmetleri ve Dis Ticaret Ltd, Turkey)
5.34.183.41 (ITL Company, Ukraine)
5.149.254.84 (Fortunix Networks, Netherlands)
A file kfc.exe is dropped onto the target system which has a detection rate of 6/52 and an MD5 of 8cfaf90bf572e528c2759f93c89b6986. Those previous Malwr reports indicate that it phones home to a familiar IP of:
78.47.119.93 (Hetzner, Germany)
Recommended blocklist:
78.47.119.93
31.131.20.217
185.125.32.39
5.34.183.41
5.149.254.84