This fake invoice does NOT comes from
MBL Seminars, they are not sending this spam nor have their systems been compromised. Instead, this is a forgery with a malicious attachment.
From: Gail Walker [gail@mblseminars.com]
Date: 11 February 2015 at 09:52
Subject: Outstanding Invoice 271741
Dear Customer
Payment for your Season Ticket was due by 31 January 2015 and has not yet been received. A copy of the invoice is attached.
By way of a reminder, the Season Ticket entitles all members of your organisation to save up to 50% on our public seminars and webinars. Since being a Season Ticket Holder your organisation has saved £728.50.
Please arrange for payment by return by BACS, cheque, or credit card. If payment has been arranged and just not reached us yet then please ignore this email.
If you have any queries, please do not hesitate to contact us.
Regards
Gail Walker
MBL (Seminars) Limited
The Mill House
6 Worsley Road
Worsley
Manchester
United Kingdom
M28 2NL
Tel: +44 (0)161 793 0984
Fax: +44 (0)161 728 8139
So far I have seen two different malicious Word documents (there may be more) with low detection rates
[1] [2] containing a different macro each
[1] [2]. These download a component from the following locations:
http://www.rapidappliances.co.uk/js/bin.exe
http://translatorswithoutborders.com/js/bin.exe
This file is saves as
%TEMP%\dsHHH.exe. It has a VirusTotal detection rate of
10/57. Automated analysis tools
[1] [2] [3] show attempted connections to the following IPs:
37.139.47.105 (Comfortel, Russia)
5.39.99.18 (OVH, France / Olga Borodynya, Russia)
136.243.237.218 (Hetzner, Germany)
66.110.179.66 (Microtech Tel, US)
78.140.164.160 (Webazilla, Netherlands / Fozzy Inc, US)
109.234.38.70 (Mchost, Russia)
The
Malwr report suggests an attempt to connect to these nonexistent domains:
U1Q6nUgvQfsx4xDu.com
bpmIYYreSPwa7.com
zdMjztmwoDX7cD.com
It also drops a DLL with a detection rate of
3/57 which is probably Dridex.
Recommended blocklist:
37.139.47.105
5.39.99.18
136.243.237.218
66.110.179.66
78.140.164.160
109.234.38.70
For researchers, a copy of the files can be found
here. Password is
infected.
UPDATE 2015-02-12
Another spam run is under way, with the same text but two different DOC files with zero detections
[1] [2] containing one of two malicious macros
[1] [2] that download another component from one of the following locations:
http://advancedheattreat.com/js/bin.exe
http://ecinteriordesign.com/js/bin.exe
The payload appears to be the same as the one used in this
spam run.