Malware SPAM a new run has started. - Internet Security

Malware SPAM a new run has started.
Last week Brad mentioned malware being delivered via word documents in SPAM (https://isc.sans.edu/forums/diary/Malicious+spam+Subject+RE+Bill/20417/). Seems like this morning there was another run. Subjects vary and the messages vary slightly, the end result is however nasty. All have word attachments. Subjects Seen: "Transaction", "LM Transaction" , "ENA Invoice" Content: Good morning Please find the payment details enclosed with this message. The Payment should appear on your account within 1 day. Regards Steel Potts ------------------------------------------------- Hello Please review the invoice enclosed with this email. The Payment should appear on your account within 1 day. Kindest regards Jackson Blackwell ------------------------------------------------- Greetings Please find the receipt attached to this email. The Payment should appear on your bank in 1-2 days. Best regards Guy Roman ------------------------------------------------- These are of course not a definitive list of subjects, but the pattern is fairly clear. It may be an opportunity for some user education, especially those in your organisation whose job it is to click on attachments. Cheers Mark H	Mark 391 Posts ISC Handler
Reply Subscribe	Dec 6th 2015 3 years ago
Hi Mark, Any chance of sharing the attachment?	Anonymous
Reply Quote	Dec 7th 2015 3 years ago
"It may be an opportunity for some user education, especially those in your organisation whose job it is to click on attachments." OUCH! The administrators of an organisation have the controls to restrict users from running the payload (be it the VBA macros or any dropper/downloader spawned with their help) of these MS-Word documents.	Anonymous
Reply Quote	Dec 7th 2015 3 years ago
We're seeing an interesting campaign this morning as well, where $yourdomain is the domain of the recipients. Interestingly the majority of recipients seem to be IT folks, so this is somewhat targeted somehow. Subject: Re: $yourdomain sucks The language of your support department is unacceptable. Please check the reply I received to my support ticket. Attachment: support_ticket.doc The attachment is the usual malicious Word document social engineering folks to enable content. Haven't had time to analyze yet but we've seen attempted POSTs to the following: hxxp://botepetan.ru/gate.php hxxp://betrewhattit.ru/gate.php hxxp://hagurowrob.ru/gate.php	Anonymous
Reply Quote	Dec 7th 2015 3 years ago
hit me up on the handlers email if you are interested in these 836ff385edd291b1e81332c7c3946508 c441b5d17fe75d4aa77f2c01b73eab08 4ad7f9f93adfe7973b5088c57a45e46b	Mark 391 Posts ISC Handler
Reply Quote	Dec 8th 2015 3 years ago