From: Erasmo Small
Date: 12 March 2015 at 09:40
Subject: Invoice [3479XZM] for payment to INCOME & GROWTH VCT PLC(THE)
From: Eli Ramirez
Date: 12 March 2015 at 08:37
Subject: Invoice [4053FJK] for payment to RANDGOLD RESOURCES
From: Richard Baxter
Date: 12 March 2015 at 08:37
Subject: Invoice [3020JQM] for payment to TARSUS GROUP PLC
From: Megan Dennis
Date: 12 March 2015 at 09:36
Subject: Invoice [4706CEZ] for payment to SHANKS GROUP
The attachment is a Word document with a name that matches the reference in the subject. So far, I have seen two different versions of this with low detection rates [1] [2] which contain these malicious macros [1] [2] [pastebin] which contain some quite entertaining obfuscation, but when deobfuscated try to download an additional component from the following locations:
https://92.63.88.102/api/gb1.exe
https://85.143.166.124/api/gb1.exe
Note the use of HTTPS. Those two IP addresses belong to:
92.63.88.102 (MWTV, Latvia)
85.143.166.124 (Pirix, Russia)
Both are well-known hosts for this sort of rubbish. According to the Malwr report this attempts to phone home to:
95.163.121.33 (Digital Networks CJSC aka DINETHOSTING, Russia)
Digital Networks is also a sea of crap. It also drops a Dridex DLL with a detection rate of 9/57.
Recommended blocklist:
95.163.121.0/24
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
85.143.166.0/24