From: Adeline Harrison [HarrisonAdeline20@granjacapital.com.br]I have seen at least four different variations of the attachment, named in the format remittance_advice14DDA974.doc (VirusTotal results [1] [2] [3] [4]). These Malwr reports [5] [6] [7] [8] show those samples communicating with:
Date: 19 January 2016 at 09:45
Subject: Remittance Advice 1B859E37
For the attention of Accounts Receivable,
We are attaching an up to date remittance advice detailing the latest payment on your account.
Please contact us on the email address below if you would like your remittance sent to a different email address, or have any queries regarding your remittance.
Kind regards,
Adeline Harrison
Best Regards,
Adeline Harrison
Senior Finance Assistant, Bellingham + Stanley
Bellingham + Stanley
Longfield Road
Tunbridge Wells
Kent, TN2 3EY
United Kingdom
Office: +44 (0) 1892 500406
Fax: +44 (0) 1892 543115
HarrisonAdeline20@granjacapital.com.br
www.bellinghamandstanley.com
http://179.60.144.19/victor/onopko.php
http://5.34.183.127/victor/onopko.php
Those IPs are:
179.60.144.19 (Veraton Projects, Netherlands)
5.34.183.127 (ITL Company, Ukraine)
UPDATE 1: this related spam run also downloads from:
91.223.88.206/victor/onopko.php
This is allocted to "Private Person Anton Malyi" in Ukraine.
A file aarab.exe is dropped (MD5 05219ea0aefedc873cecaa1f5100c617) [VT 4/53] which appears to communicate with:
198.50.234.211 (OVH, Canada)
I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan, this attack is consistent with botnet 120.
UPDATE 2
This other Dridex 120 spam run uses different download locations:
46.17.100.209/aleksei/smertin.php
31.131.20.217/aleksei/smertin.php
The dropped "aarab.exe" file is also different, with an MD5 of c19959c2d372a7d40d4ba0f99745f114 and a detection rate of just 2/54.
Recommended blocklist:
198.50.234.211
179.60.144.19
5.34.183.127
91.223.88.206
46.17.100.209
31.131.20.217