This fake remittance advice comes with a malicious Excel attachment.
From: Whitney
Date: 23 December 2014 at 09:12
Subject: Remittance Advice -DPRC93
Confidentiality and Disclaimer: This email and its attachments are
intended for the addressee only and may be confidential or the subject
of legal privilege.
If this email and its attachments have come to you in error you must
take no action based on them, nor must you copy them, distribute them or
show them to anyone.
Please contact the sender to notify them of the error.
This email and any attached files have
been scanned for the presence of computer viruses. However, you are
advised that you open any attachments at your own risk.
Please note that electronic mail may be monitored in accordance with the
Telecommunications (Lawful Business Practices)(Interception of
Communications) Regulations 2000.
The reference in the subject varies, and the name of the attachment always matches (so in this case
DPRC93.xls). There are in fact three different versions of the document, all of which have a malicious macro. At the moment, this is poorly-detected by AV vendors
[1] [2] [3] [4].
If you read this blog regularly then you might have seen me mention these attacks many times before, and most of these have a familiar pattern. However, the macro has now changed completely, as it now loads some of the data from the Excel spreadsheet itself.
The macro itself looks like this [
pastebin] and as far as I can tell from it, it loads some data from the Excel spreadsheet and puts it into a file
%TEMP%\windows.vbs. So far I have seen four different scripts
[1] [2] [3] [4] which download a component from one of the following locations:
http://185.48.56.133:8080/sstat/lldvs.php
http://95.163.121.27:8080/sstat/lldvs.php
http://92.63.88.100:8080/sstat/lldvs.php
http://92.63.88.106:8080/sstat/lldvs.php
It appears that this email is downloaded as
test.exe and is then saved as
%TEMP%\servics.exe.
The
ThreatExpert report shows traffic to the following:
194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
80.237.255.196 (Denes Balazs / HostEurope, Germany)
85.25.20.107 (PlusServer AG, Germany)
VirusTotal indicates a detection rate of just
3/54, and identifies it as Dridex.
Recommended blocklist:
194.146.136.1
80.237.255.196
85.25.20.107
185.48.56.133
95.163.121.27
92.63.88.100
92.63.88.106
Note that there are two IPs acting as downloaders in the
92.63.88.0/24 range (MWTV, Latvia). It may be that you would also want to block that range as well.