Malware SPAM a new run has started.

Published: 2015-12-06
Last Updated: 2015-12-06 22:36:56 UTC
by Mark Hofman (Version: 1)
4 comment(s)

Last week Brad mentioned malware being delivered via word documents in SPAM (https://isc.sans.edu/forums/diary/Malicious+spam+Subject+RE+Bill/20417/).  Seems like this morning there was another run.  Subjects vary and the messages vary slightly, the end result is however nasty.  All have word attachments.  

Subjects Seen: "Transaction",  "LM Transaction" ,  "ENA Invoice"

Content:

Good morning
Please find the payment details enclosed with this message. The Payment should appear on your account within 1 day.

Regards
Steel Potts

-------------------------------------------------

Hello
Please review the invoice enclosed with this email. The Payment should appear on your account within 1 day.

Kindest regards
Jackson Blackwell

-------------------------------------------------

Greetings
Please find the receipt attached to this email. The Payment should appear on your bank in 1-2 days.

Best regards
Guy Roman

-------------------------------------------------

These are of course not a definitive list of subjects, but the pattern is fairly clear. 

It may be an opportunity for some user education, especially those in your organisation whose job it is to click on attachments. 

Cheers

Mark H 

Keywords: malware spam word
4 comment(s)

Comments

Hi Mark,

Any chance of sharing the attachment?
"It may be an opportunity for some user education, especially those in your organisation whose job it is to click on attachments."

OUCH!
The administrators of an organisation have the controls to restrict users from running the payload (be it the VBA macros or any dropper/downloader spawned with their help) of these MS-Word documents.
We're seeing an interesting campaign this morning as well, where $yourdomain is the domain of the recipients. Interestingly the majority of recipients seem to be IT folks, so this is somewhat targeted somehow.

Subject: Re: $yourdomain sucks
The language of your support department is unacceptable.
Please check the reply I received to my support ticket.
Attachment: support_ticket.doc

The attachment is the usual malicious Word document social engineering folks to enable content. Haven't had time to analyze yet but we've seen attempted POSTs to the following:
hxxp://botepetan.ru/gate.php
hxxp://betrewhattit.ru/gate.php
hxxp://hagurowrob.ru/gate.php
hit me up on the handlers email if you are interested in these
836ff385edd291b1e81332c7c3946508
c441b5d17fe75d4aa77f2c01b73eab08
4ad7f9f93adfe7973b5088c57a45e46b

Diary Archives