From: Kenya BeckerAttached is a file with a semirandom name similar to invoice_feb-92031923.doc (Sample VirusTotal report) which contains XML that looks like this [pastebin]. Malwr analysis of these samples [1] [2] shows it downloading a malicious executable from:
Date: 19 February 2016 at 11:59
Subject: Invoice FEB-92031923
Good morning,
Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice.
If you have any questions please let us know.
Thank you!
Kenya Becker
Accounting Specialist
==================
From: Toni Jacobson
Date: 19 February 2016 at 12:10
Subject: Invoice FEB-63396033
Good morning,
Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice.
If you have any questions please let us know.
Thank you!
Toni Jacobson
Accounting Specialist
ratgeber-beziehung.de/5/5.exe
www.proteusnet.it/6/6.exe
If recent patterns are followed, there will be several different download locations with different versions of the file at each. I will let you know if I get these locations. The binaries has a detection rate of 7/55 and 6/54 and these Malwr reports [1] [2] [3] indicate that it phones home to:
85.25.138.187 (PlusServer AG, Germany)
31.41.47.3 (Relink Ltd, Russia)
Other samples are being analysed, but in the meantime I recommend that you block traffic to:
85.25.138.187
31.41.47.3
UPDATE 1
Some additional download locations from these Malwr reports [1] [2] [3]:
ecoledecorroy.be/1/1.exe
animar.net.pl/3/3.exe
luigicalabrese.it/7/7.exe
..stil working on those other locations!
UPDATE 2
Two other locations are revealed in these Malwr reports [1] [2]:
http://lasmak.pl/2/2.exe
http://suicast.de/4/4.exe