From MyBill [mybill.central@affinitywater.co.uk]
Date Fri, 04 Mar 2016 14:50:57 +0530
Subject Closing bill
Dear customer
Please find attached a copy of closing bill as requested.
Kind Regards
Natasha Hawkes
Customer Relations Advisor
affinitywater.co.uk
_________________________________________________________________________
This e-mail
(including any attachments) is confidential and may also be legally privileged or
otherwise protected from disclosure. If you are not the intended recipient of this
e-mail or any parts of it please notify us by reply e-mail or by telephone on 01707
268 111 immediately on receipt and then delete the message from your system. You
should not disclose the contents to any other person, nor take copies nor use it
for any purposes and to do so could be unlawful. The presence of this footnote indicates:
this email message has been tested for the presence of known computer viruses, unless
the email has been encrypted (in part or full) wherein the email will not be checked
for computer viruses. All incoming and outgoing emails may be monitored in line with
current legislation. Affinity Water Limited (Company Number 02546950) is registered
in England and Wales having their registered office, at Tamblin Way, Hatfield, Hertfordshire,
AL10 9EZ. www.affinitywater.co.uk
_____________________________________________________________________________
Attached is a partly randomly-named file, for exampple 081155545_1735494_18836.xls - the first two numbers are random, the third is always "18836". So far I have seen just two variants of this (there may be more) with detection rates of about 5/56 [1] [2] which according to the Malwr reports [3] [4] download a binary from the following locations:
prettymom.ru/system/logs/vbry73f34f.exe
desean.com.sg/system/logs/vbry73f34f.exe
This binary has a detection rate of 6/56. Analysis is pending, however this looks like the Dridex banking trojan.
UPDATE 1
The comments in the VirusTotal scan give some more download locations:
2.casino-engine.ru/games/megajack/vbry73f34f.exe
shop-bedep.com/system/logs/vbry73f34f.exe
17.rent-shops.ru/system/logs/vbry73f34f.exe
Curiously "Bedep" is the name of a trojan. These Hybrid Analysis reports [1] [2] [3] show malicious traffic to:
188.165.215.180 (OVH, France)
I strongly recommend that you block traffic to that IP.
UPDATE2
Some additional download locations and C&C servers to block, from another source (thank you!)
jean-daniel.com.ua/system/logs/vbry73f34f.exe
namkeendelights.com/system/logs/vbry73f34f.exe
Overall, some of these download locations look like good candidates for blocking, especially:
81.177.140.123 (Avguro Technologies Ltd, Russia)
210.245.90.206 (FPT Telecom Company, Vietnam)
89.184.72.57 (Internet Invest Ltd., Ukraine)
These additional C&C servers have been seen before:
78.108.93.186 (Majordomo LLC, Russia)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
Recommended blocklist:
188.165.215.180
78.108.93.186
87.106.8.177
91.236.4.234
81.177.140.123
210.245.90.206
89.184.72.57