This spam appears to originate from a variety of companies with different references. It comes with a malicious attachment.
From: Marisol Barrett [BarrettMarisol04015@victimdomain.tld]
Date: 1 February 2016 at 08:39
Subject: Invoice 48014 from JKX OIL & GAS
Dear Customer,
Your invoice appears below. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Marisol Barrett
JKX OIL & GAS
=========================
From: Oswaldo Browning [BrowningOswaldo507@victimdomain.tld]
Date: 1 February 2016 at 09:38
Subject: Invoice 865272 from J P MORGAN PRIVATE EQUITY LTD
Dear Customer,
Your invoice appears below. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Oswaldo Browning
J P MORGAN PRIVATE EQUITY LTD
=========================
From: Pansy Haley [HaleyPansy95@victimdomain.tld]
Date: 1 February 2016 at 08:50
Subject: Invoice 95101 from HWANGE COLLIERY CO
Dear Customer,
Your invoice appears below. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Pansy Haley
HWANGE COLLIERY CO
=========================
From: Ruth Martinez [MartinezRuth43950@victimdomain.tld]
Date: 1 February 2016 at 08:51
Subject: Invoice 27051 from ESSENDEN PLC
Dear Customer,
Your invoice appears below. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Ruth Martinez
ESSENDEN PLC
The attachment is in the format
INV19 - 865272.doc (it always starts with "INV19" and then has the fake reference number). There are at least three different versions (VirusTotal
[1] [2] [3]).
Analysis is pending, however this is likely to be the Dridex banking trojan.
UPDATE 1
A different variant of the spam email is going on, which appears to have roughly the same payload:
From: Heather Mcfadden [McfaddenHeather71@victimdomain.tld]
Date: 1 February 2016 at 10:09
Subject: Transaction and Payment Confirmation from HAYWARD TYLER GROUP PLC
Hello,
The attached document is a transaction payment confirmation from HAYWARD TYLER GROUP PLC in the amount of GBP 1,879.86.
Your transaction reference number is A3546F.
Kind Regards,
Heather Mcfadden
HAYWARD TYLER GROUP PLC
UPDATE 2
The Malwr analysis of three of the attachments
[1] [2] [3] shows download locations of:
31.131.24.203/indiana/jones.php
31.41.45.23/indiana/jones.php
These IPs can be considered as malicious, and belong to:
31.131.24.203 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
31.41.45.23 (Relink LTD, Russia)
This drops a malicious binary with a detection rate of
2/53. This phones home to:
185.24.92.229 (System Projects, LLC, Russia)
This spam appears to be the Dridex banking trojan (botnet 120 perhaps).
Recommended blocklist:
185.24.92.229
31.131.24.203
31.41.45.23