From: Whitney
Date: 23 December 2014 at 09:12
Subject: Remittance Advice -DPRC93
Confidentiality and Disclaimer: This email and its attachments are intended for the addressee only and may be confidential or the subject of legal privilege.
If this email and its attachments have come to you in error you must take no action based on them, nor must you copy them, distribute them or show them to anyone.
Please contact the sender to notify them of the error.
This email and any attached files have been scanned for the presence of computer viruses. However, you are advised that you open any attachments at your own risk.
Please note that electronic mail may be monitored in accordance with the Telecommunications (Lawful Business Practices)(Interception of Communications) Regulations 2000.
The reference in the subject varies, and the name of the attachment always matches (so in this case DPRC93.xls). There are in fact three different versions of the document, all of which have a malicious macro. At the moment, this is poorly-detected by AV vendors [1] [2] [3] [4].
If you read this blog regularly then you might have seen me mention these attacks many times before, and most of these have a familiar pattern. However, the macro has now changed completely, as it now loads some of the data from the Excel spreadsheet itself.
The macro itself looks like this [pastebin] and as far as I can tell from it, it loads some data from the Excel spreadsheet and puts it into a file %TEMP%\windows.vbs. So far I have seen four different scripts [1] [2] [3] [4] which download a component from one of the following locations:
http://185.48.56.133:8080/sstat/lldvs.php
http://95.163.121.27:8080/sstat/lldvs.php
http://92.63.88.100:8080/sstat/lldvs.php
http://92.63.88.106:8080/sstat/lldvs.php
It appears that this email is downloaded as test.exe and is then saved as %TEMP%\servics.exe.
The ThreatExpert report shows traffic to the following:
194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
80.237.255.196 (Denes Balazs / HostEurope, Germany)
85.25.20.107 (PlusServer AG, Germany)
VirusTotal indicates a detection rate of just 3/54, and identifies it as Dridex.
Recommended blocklist:
194.146.136.1
80.237.255.196
85.25.20.107
185.48.56.133
95.163.121.27
92.63.88.100
92.63.88.106
Note that there are two IPs acting as downloaders in the 92.63.88.0/24 range (MWTV, Latvia). It may be that you would also want to block that range as well.