From: Johnny Higgins [JohnnyHigginsyb@mail.whitsoncm.com]
To: "it-dept@victimdomain"
Date: 13 May 2015 at 11:39
Subject: Need your attention,''Important notice
Good Afternoon,
We have received a payment from you for the sum of £ 686. Please would you provide me with a remittance, in order for me to reconcile the statement.
I will be sending you a statement of outstanding invoices tomorrow, the total amount outstanding is £ 1564 less the £3254.00 received making a total outstanding of £ 878. We would very much appreciate settlement of this.
As previously mentioned, we changed entity to a limited company on 1st December 2014. We are keen to close all the old accounts down, for both tax and year end reasons. We would be very grateful in your assistance in settling the outstanding.
If you need any copy invoices please do not hesitate to contact us
Regards,
Johnny Higgins
--------------------------
From: Rowena Mcconnell [RowenaMcconnellev@telemar.it]
To: tedwards@victimdomain
Date: 13 May 2015 at 11:38
Subject: Financial information
Good Afternoon,
Please see attached the copy of the remittance.
Please can you send a revised statement so we can settle any outstanding balances.
Kind Regards,
Rowena Mcconnell
--------------------------
From: Jimmie Cooley [JimmieCooleyzils@fsband.net]
To: server@victimdomain
Date: 13 May 2015 at 11:34
Subject: Important information
Good morning
Please find attached a remittance advice, relating to a payment made to you.
Many thanks
Regards,
Jimmie Cooley
Seniour Finance Assistant
Each attachment is slightly different, but does contain the name of the recipient plus a random number (e.g. it-dept_0E78A3A5700B.doc). The payload is meant to be a multi-part MIME file, but many are corrupt and are either Base 64 encoded or are "404 Not Found" files.
If the file is correctly format, it should behave similarly to this Hybrid Analysis report, which says that it connects to several different IPs, but crucially also it downloads a malicious executable from 91.226.93[.]110/bt/get1.php (Sobis, Russia) and saves it as crypted.120.exe.
This malicious executable has a detection rate of 2/56 and the Malwr report says that it communicates with 46.36.217.227 (FastVPS, Estonia) and drops a Dridex DLL with a detection rate of 22/56.
Recommended blocklist:
46.36.217.227
91.226.93.110
MD5s:
9afecfaa484c66f2dd11f2d7e9dc4816
d2f825ecfb3d979950b9de92cbe29286