From: Milan RoachAttached is a malicious Word document with the same name as the subject (e.g. CopySN4215796.doc). There are at least two different versions of this document [Version 1 VirusTotal / Malwr report, Version 2 VirusTotal / Malwr report]. If macros are enabled on the target machine then a malicious macro [pastebin] runs and downloads a futher component from one of the two following locations (there may be more):
Date: 30 October 2014 11:35
Subject: Further Reminder SN4215796
Good afternoon,
Please see attached statement sent to us, I have highlighted on this the payments made to you in full and attached a breakdown of each one for you to correctly allocate. Hope this helps.
Thanking you in advance.
Many Thanks & Kind Regards
Milan Roach
Senior Accounts Payable Clerk
Finance Department
http://81.7.3.101:8080/doc/6.exe
http://195.154.126.245:8080/doc/6.exe
This binary has a VirusTotal detection rate of 7/54 and the Malwr report shows it contacting the following URLs:
http://212.59.117.207/fJ5SAAWU%7EQh@T%7E/.c0ip%2D~wm&4iS$2%20/@sVAEx5n%2Dq2fhFR%2C2E3nTsY7CsJG
http://217.160.228.222/mqtGeOgnz/1%7EzXP@%20F~YhNF/tznfsAv2%2BWsXzjfHO2$0XGvz/eyWejESZTRrqx2vf/&
It also drops a file 2.tmp which is actually a DLL with a VirusTotal detection rate of 14/54 which identifies it clearly as a variant of Cridex.
Recommended blocklist:
212.59.117.207
217.160.228.222
91.222.139.45
81.7.3.101
195.154.126.245
UPDATE: a contact tells me that this malware also connects to a config file at:
212.59.117.207:8080
91.222.139.45:8080
..so I have updated the blocklist above to include these.