From: Taylor Slater
Date: 3 November 2014 09:32
Subject: A new invoice FM0509816M has been created for You
Dear Client,
A new invoice, FM0509816M has been created. Please find it attached.
Kind regards, Taylor Slater
TM Group
Helpdesk Billing
--------------------
From: Winfred Chapman
Date: 3 November 2014 10:34
Subject: A new invoice MP4729736L has been created for You
Dear Client,
A new invoice, MP4729736L has been created. Please find it attached.
Kind regards, Winfred Chapman
TM Group
Helpdesk Billing
--------------------
From: Lionel Lowery
Date: 3 November 2014 11:05
Subject: A new invoice LB7236759Y has been created for You
Dear Client,
A new invoice, LB7236759Y has been created. Please find it attached.
Kind regards, Lionel Lowery
TM Group
Helpdesk Billing
--------------------
From: Trey Leonard
Date: 3 November 2014 11:05
Subject: A new invoice LM839596Q has been created for You
Dear Client,
A new invoice, LM839596Q has been created. Please find it attached.
Kind regards, Trey Leonard
TM Group
Helpdesk Billing
------------------
From: Helga Wilkinson
Date: 3 November 2014 12:16
Subject: A new invoice NT9263036Z has been created for You
Dear Client,
A new invoice, NT9263036Z has been created. Please find it attached.
Kind regards, Helga Wilkinson
TM Group
Helpdesk Billing
------------------
From: Carol Day
Date: 3 November 2014 11:44
Subject: A new invoice DQ8914435K has been created for You
Dear Client,
A new invoice, DQ8914435K has been created. Please find it attached.
Kind regards, Carol Day
TM Group
Helpdesk Billing
------------------
From: Corey Graham
Date: 3 November 2014 11:42
Subject: A new invoice TQ022815G has been created for You
Dear Client,
A new invoice, TQ022815G has been created. Please find it attached.
Kind regards, Corey Graham
TM Group
Helpdesk Billing
------------------
From: Josefina Deleon
Date: 3 November 2014 11:34
Subject: A new invoice KZ561472B has been created for You
Dear Client,
A new invoice, KZ561472B has been created. Please find it attached.
Kind regards, Josefina Deleon
TM Group
Helpdesk Billing
Attached is a Word document with the same filename as the supposed invoice number. So far I have seen three variations:
- Sample 1 VirusTotal 0/54, Malwr Report, macro [pastebin]
- Sample 2 VirusTotal 0/54, Malwr Report, macro [pastebin]
- Sample 3: VirusTotal 0/54, Malwr Report, macro [pastebin]
http://149.62.168.210:8080/doc/8.exe
http://111.125.170.132:8080/doc/8.exe
http://121.78.88.208:8080/doc/8.exe
This binary has a detection rate of just 2/54. The Malwr report shows this binary reaches out to the following locations:
http://91.222.139.45/4gA6Cw%2CuZ%265%2B7/TvPKRfz@/tpm=MCPSixTbfs6%2B
http://213.140.115.29/gfffgwtmjg6_w+8j+$%26icb%3D_f2=%2Dj66/@c3qrn=b%7E%2C+1tg026.i%24w./x%2Dlq5e%2D
http://213.140.115.29/uziFUA/wE0ArLF~2K%2DuQjXh3ak/7IvEHrPuf
http://213.140.115.29/hIR%3D7nkeM%2CgV/%2C@fN0iWI/+arv9NF%24F
The malware also drops a malicious DLL with a VirusTotal detection rate of 9/54 which is identified as Cridex.
Recommended blocklist:
91.222.139.45
213.140.115.29
149.62.168.210
111.125.170.132
121.78.88.208