From: Kate Coffey
Date: 1 April 2015 at 15:00
Subject: Your Remittance Advice PEEL SOUTH EAST
Dear sir or Madam,
Please find attached a remittance advice (JT934IYIP.doc) for your information.
Should you need any further information, please do not hesitate to contact us.
Best regards
PEEL SOUTH EAST
Attached is a Word document with a filename matching the body one in the text. Every email attachment we have seen so far is slightly different, but there seem to be just two different malicious macros [1] [2] [pastebin] which download a component from one of the following locations:
http://31.41.45.175/sqwere/casma.gif
http://91.242.163.78/sqwere/casma.gif
Those servers are almost certainly entirely malicious, with IPs assigned to:
31.41.45.175 (Relink Ltd, Russia)
91.242.163.78 (Sysmedia, Russia)
This file is saved as %TEMP%\DOWUIAAFQTA.exe and has a VirusTotal detection rate of 4/49. Automated analysis tools [1] [2] [3] show attempted connections to:
188.120.225.17 (TheFirst-RU, Russia)
45.55.154.235 (Digital Ocean, US)
188.126.72.179 (Portlane AB, Sweden)
1.164.114.195 (Data Communication Business Group, Taiwan)
46.19.143.151 (Private Layer Inc, Switzerland)
79.149.162.117 (Telefonica Moviles Espana, Spain)
5.135.28.104 (OVH / Simpace.com, UK)
According to this Malwr report it downloads the same Dridex DLL as seen in this spam run plus another variant of the downloader with a detection rate of 3/56.
Recommended blocklist:
188.120.225.17
45.55.154.235
188.126.72.179
1.164.114.195
46.19.143.151
79.149.162.117
5.135.28.104/29
31.41.45.175
91.242.163.78
MD5s:
b4be0bb41af791004ae3502c5531773b
7bede7cc84388fb7bfa2895dba183a20
564597fd05a31456350bac5e6c075fc9