From: Hoyt FowlerI have only seen a single sample of this email at present, but if consistent with other similar emails then details such as the sender's name and reference numbers will vary. In this case, the attachment was named INV-SE723A36B7.doc and had a VirusTotal detection rate of 1/55.
Date: 8 January 2016 at 10:49
Subject: Invoice from DSV 723A36B7 , ARIA (U K) LTD, 04995672, Customer ref: ALEX MUNRO, SE/GB
Invoice/Creditnote no.: 723A36B7
Total Amount: GBP 60,00
Due Date: 28.01.2016
If you have any questions to this invoice/creditnote please contact the person written in the upper right corner of the invoice.
Please see attached document.
Best Regards
Hoyt Fowler
DSV Road Limited
Scandinavia House
Parkeston, Harwich
Essex, CO12 4QG No.3874882
Tel: 01255 242242
Registered in England
VAT No. GB759894254
Global Transport and Logistics
According to this Malwr report, the sample attempts to download a further component:
194.28.84.79/softparade/spanish.php
There will most likely be a couple of other download locations too (check back later for more). This IP address belongs to Hostpro in Ukraine. Those other locations are likely to be in Ukraine too.
A file named hram.exe is dropped onto to target system with a detection rate of 4/54. The Malwr report indicates that this communicates with:
78.47.119.93 (Hetzner, Germany)
This is a critical IP to block, as we also saw it in use yesterday. The payload is most likely the Dridex banking trojan.
UPDATE 1
A contact (thank you) let me know of two other download locations:
176.103.62.14/softparade/spanish.php
51.254.51.178/softparade/spanish.php
These are:
176.103.62.14 (PE Ivanov Vitaliy Sergeevich, Ukraine)
51.254.51.178 (OVH, France / Dmitry Shestakov, Russia)
Both those are pretty well-known providers of malware. I recommend that you block the entire /20 in the first instance and the blocks referenced here in the second.
MD5s:
5ab2a67268b3362802a13594edafbd2e
7d60996dd9293df5eecd07f33207aca8
Recommended blocklist:
78.47.119.93
194.28.84.79
176.103.48.0/20
51.254.51.176/30
UPDATE 2
An updated version of the payload is currently being spammed out as on 11.01.16, with a payload identical to this spam run.