Fake 'Tax Invoice', 'Sales Invoice', 'PHS docs' SPAM, Dridex botnet
FYI...
Fake 'Tax Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/mbie-c...e-pdf-malware/
26 Oct 2015 - "An email with the subject of 'MBIE Companies Office Tax Invoice' pretending to come from revenue@ med.govt .nz with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...e-1024x557.png
26 October 2015: Notification20151026_MCX79GF[_var=nSYMBOL]-54.zip: Extracts to: Notification20151026-AUNK7401f-26.exe
Current Virus total detections 0/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7...is/1445819602/
___
Fake 'Sales Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malw...r-norwich.html
26 Oct 2015 - "This -fake- financial spam does not come from Norwich Camping but is instead a simple -forgery- with a malicious attachment:
From "Norwich Camping" [sales@ norwichcamping .co.uk]
Date Mon, 26 Oct 2015 13:43:14 +0430
Subject #NC-242455-Zmj Your Norwich Camping Order has shipped!
You Norwich Camping & Leisure order "#NC-242455-Zmj" has now been shipped. Your chosen
payment method has now been charged.
Kind regards,
The Norwich Camping & Leisure
Attached is a file invoice-2425.doc of which I have only seen a single sample so far with a VirusTotal detection rate of 5/55*. The document contains this malicious macro... which apparently downloads a malicious binary to %TEMP%\|ZipCock32.exe ... it is most likely that it downloads the Dridex banking trojan.
UPDATE: According to this Hybrid Analysis report** version of the malicious document downloads an executable from:
img1.buyersbestfriend. com/76r56e87y8/65df78.exe
This has a VirusTotal detection rate of 5/55***. That report indicates malicious traffic to:
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
I recommend that you block traffic to that IP."
* https://www.virustotal.com/en/file/e...is/1445854612/
** https://www.hybrid-analysis.com/samp...nvironmentId=2
*** https://www.virustotal.com/en/file/2...is/1445857776/
... Behavioural information
TCP connections
195.154.251.123: https://www.virustotal.com/en/ip-add...3/information/
88.221.14.130: https://www.virustotal.com/en/ip-add...0/information/
___
Fake 'PHS docs' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malw...ments-are.html
26 Oct 2015 - "This spam does not come from PHSOnline, but is instead a simple -forgery- with a malicious attachment.
From "PHSOnline" [documents@ phsonline .co.uk]
Date Mon, 26 Oct 2015 20:28:50 +0700
Subject Your new PHS documents are attached
I don't have a copy of the body text for these messages, but the attachment is named G-A0287580036267754265.doc which comes in -three- different versions... containing a macro... which downloads a malicious binary from one of the following locations:
tranquilosurf .com/~info/76r56e87y8/65df78.exe
masaze-rumburk .cz/76r56e87y8/65df78.exe
img1.buyersbestfriend .com/76r56e87y8/65df78.exe
The Hybrid Analysis reports those those documents are here: [1] [2] [3]. The file is saved as %TEMP%\ZipCock32.exe and this has VirusTotal detection rate of just 1/55[4]. The Hybrid Analysis report for this binary[5] shows it downloading from the following location:
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
This is almost definitely the Dridex banking trojan. Note that the documents and download locations appear to be the -same- as the one use in this earlier attack*, but the payload has now changed."
* http://blog.dynamoo.com/2015/10/malw...r-norwich.html
1] https://www.hybrid-analysis.com/samp...nvironmentId=1
2] https://www.hybrid-analysis.com/samp...nvironmentId=2
3] https://www.hybrid-analysis.com/samp...nvironmentId=2
4] https://www.virustotal.com/en/file/a...is/1445868517/
5] https://www.hybrid-analysis.com/samp...nvironmentId=1
___
Despite takedown, the Dridex botnet is running again
- http://www.computerworld.com/article...ing-again.html
Oct 26, 2015 - " Spam emails containing the Dridex malware are being seen almost daily despite the arrest of one of its key operators in August. The finding confirms that while law enforcement can claim temporary victories in fighting cybercriminal networks, it's sometimes difficult to completely shut down their operations... Dridex, also referred to as Cridex or Bugat, is advanced malware that collects financial login details and other personal information that can be used to drain bank accounts. The U.S. and U.K. said the Dridex botnet - or the collection of computers infected with the malware - had been disrupted following their operations. Two weeks before the DOJ's announcement, Palo Alto Networks wrote* that it noticed a drop in Dridex activity but that it resumed again around the start of October. Much of that activity has now resumed, wrote Brad Duncan, a security researcher with Rackspace, on the Internet Storm Center blog**... there appear to be more files labeled as Dridex on VirusTotal... Although some of the samples be could mislabeled, it backs up what Palo Alto noticed..."
* http://researchcenter.paloaltonetwor...geting-the-uk/
Oct 1, 2015
** https://isc.sans.edu/diary/Botnets+s...l+active/20295
Last Updated: 2015-10-24
- http://www.secureworks.com/cyber-thr...ver-operation/
13 Oct 2015 - "... The malware... steals credentials, certificates, cookies, and other sensitive information from a compromised system, primarily to commit Automated Clearing House (ACH) and wire fraud. As of this publication, authorities have linked the botnet to an estimated £20 million (approximately $30.5 million) in losses in the UK, and at least $10 million in losses in the United States. Dridex was created from the source code of the Bugat banking trojan (also known as Cridex) but is distinct from previous Bugat variants, particularly with respect to its modular architecture and its use of a hybrid peer-to-peer (P2P) network to mask its backend infrastructure and complicate takedown attempts..."
