Tuesday, 17 March 2015

Payment confirmation Payment made by BACS

Payment confirmation Payment made by BACS being spammed with a word document.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Message Header::

Subject: Payment confirmation XJL970
Message Body:
Good morning Sir,
Please find attached payment confirmation and remittance. Payment made by BACS. Fnds will be in your account tomorrow. Once again apologies for the delay. 
Kind regards
 Attachment:
XJL970.doc
Sha256 Hashes (Yes, a huge about of samples)
f244bfbba662e17ffc4f3b521d50ad6491836e5313049969069267595d671928
b1a448f2b9e12b20e1498e8106f9f69af2dfc0cc8ede1a8673bd334e077e7216
5d7ff5bc419df9f96e181be85c9bad8bb7487686f5bcd467bdfa20e62c2c90bd
9c11731b1cf89c381341ddc88dd0c5300994c6ed545b770716647852a69133aa
f6d83d8a302b591365af9f367029e75a5181791633bad806a43af752584085dc
b46bc0df6bcf6786f859c2b4af1595f8732e6e4e3cc5110aef6f07f687fa4cc4
ac89dd6a3df32902f01f3c1a11700262d3806d33cdf4044cf3c9c5a85863563f
54b9004e4cf015e1c8533898e34fdf83a9c8c2a5e81c61d160ae454611801193
655f6280690a0dc3120e2101704b8aa64e52195753ab80363c60c54a40760af7
8eca06efe360fa5d7fc370134706f107d9bec1e20b047cb737872b6576753b08
c43a94e4dfc0ba573011ab795d426cc937a18cd6e26b0eff869bd6e0b8616272
21b6187c5385ec962462c89beb02ad18616aaad102967708bea37925273f88e7
f7efe1f4951ec72c3f30a8d4ce262d009c9fc12744aba929201c58eddc9d16c7
d1c7edc5ba839a627d8b174e86598e9275a94054263c517bb3ea29179a5b820a
b3b19d5f941e9b9309dc35d45cb08cf930b917478f5c0e36af4a9eea8df66f13
f7a35734b6b2e2b65010e6b67229f42bd405650fc8a0e18c99adf45b48b4f2f8
81da4f0cc8fb28003ba297d1156e7f7f1201092c66b57f79bcf5260639bb1a01
0927950ec518854848ad2d3084177aa95406fb2d499b68c53655374745995bee
32b9b76d9be75ce5382c37ef4a99a084e0f75108e8abd837ff716a1ad6b23795
78e2272d7fe667810a586c669bd64bfe90f6507f4d21f42010f03785a8498743
8709c28b6aab2a7f279f3f6ed1b809523b91939d90281b41bfd5ef24c2545f62
99be86081a4e38d4bfd7d1c6c9e4f31eef55edc19676f53bf894e54de8be2420
71bc3d2d7e07ebcd6d049bf4f7762b8824d8465e78c7a0fe29d50d72492bab49
077ac34900ea6216e48490c141d7c1195e660dafb766b42c342dafed85d05830
f872203bfaf28c925069532e96475063566b08c538665bdfaa6f6bf068352da4
1f75794de888f6af632cdeda98b860d5e7f0c8b633e22e72a471c56e4798044a
fb9ea8ee2aaab6e4056c6288e4ea761fbf122624e9a20a9094281ffac4900630
ec6bb454bfbf6c2ca8e5f3cb6369a8d33c0e1a14b5869a6aa161a31574b63eff
65b73d6dca70d9b1245e1c7a8f1f21ee7dac282601fb159b52997afe07bffe7b
a69d6ce9286730e9d7d2769c9209d7d8013ed720ffd48f3fa75ddb429091a40c

Malware Macro document information:
VirusTotal Report [Example] (Detection ratio 2 /57)

Malwr Report [Example]

Hybrid Analysis Report [Example]

Payload Download [HAR Report]: http://92.63.87.14/instana/vsacz.exe

Payload Sha256: 0d0c02aa0572a90c940e554a6c2a2ee054bc5a2f2df561e95e2a31a4162dd34

Payload VirusTotal Report: [Payload]
Malwr Report: [Payload]
Hybrid Analysis Report: [Payload] [detailed analysis]

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

2 comments:

Iavorscaia said...
This comment has been removed by the author.
Iavorscaia said...

Hey guys. Have just received the same email. But how can I protect myself from such a spam? Anyone help please! These emails are too annoying!! Maybe there's a some kind of software for MS exchange or plugin for outlook. I appreciate you help.