“Outstanding invoice” (invoice@bankline.ulsterbank.ie) virus e-mail

Another bit of junk today, this time helpful they also included (CC) all the people in the organisation that the message was sent to so I could warn them.

Dear emailinfo,

Please find the attached copy invoice which is showing as unpaid on our ledger.

To download your invoice please click here <https://www.hightail.com/download/e?phi_action=app/directDownload&fl=SWhZekZucVhVbTlFQmUxbENtOXhkak9yZWt5UmdteDRsUjJuWENHRzVZbz0&gt;

I would be grateful if you could look into this matter and advise on an expected payment date .

Many thanks

David Gregory

Credit Control
Tel: 0845 300 2952

Needless to say it didn’t come from ulsterbank.ie..

Received: from mail.meiko-eisengiesserei.de (mail.meiko-eisengiesserei.de
 [])	by media.myclient.com with ESMTP	; Thu, 2 Apr 2015
 11:47:41 +0100
Received: from [] (helo=vyyiyjqbkpgue.dvrke.com)	by
 mail.meiko-eisengiesserei.de with esmtpa (Exim 4.69)	(envelope-from )	id
 1MMHLU-6787pc-5S	for emailinfo@myclient.com; Thu, 2 Apr 2015 11:48:10
Date: Thu, 2 Apr 2015 11:48:10 +0100
From: "invoice@bankline.ulsterbank.ie" <invoice@bankline.ulsterbank.ie>
X-Mailer: The Bat! (v3.71.04) Professional
X-Priority: 3 (Normal)
Message-ID: <9309792200.R5X6472C560759@ufmsdfecd.mevlnsekx.biz>
To: <emailinfo@myclient.com>, <redacted@myclient.com>,
	<ian@myclient.com>, <info@myclient.com>, <jan.redacted@myclient.com>,
	<lucy.redacted@myclient.com>, <messagelog@myclient.com>,
	<redacted@myclient.com>, <steve.redacted@myclient.com>
Subject: Outstanding invoice
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-Path: Bankline.Administrator@mail.meiko-eisengiesserei.de

The link downloads Document_CQ0062119-WA.zip which contains “Document_CQ0062119-WA.scr”
SHA256 d7720a995dab294e18ad74b25432d6af088763cc3c5c9408d997bf950f6fb04f
(VirusTotal Report / Malwr Report).

Upon execution it connects to checkip.dyndns.org to get your IP, then contacted a server in Ukraine:

Then downloaded a payload from:

http://edrzambrano.com.ve/images/wicon1.png (Virustotal Report SHA256 a6c310f2d4d3eb110b2df3fd64dca443db2dcb40f860cf0ebd09cf8af7f778be)

It then starts SSL communication with (an IP in Russia) with an SSL certificate of CN=oHbECjOD3mWybdlZ55TWBABk and a generation date of 26th March 2015.

Also the following IPs were seen: HTTPS an IP in Russia
Common Name of oHbECjOD3mWybdlZ55TWBABk Certificate generation date of 26th March 2015. HTTPS an IP in Ukraine
Common Name of GHsaixn60AdNExbRZPddpOKo Certificate generation date of 2nd April 2015.

Unlike previous versions of this junk, it no longer seems to use a windows HTTP / HTTPS component so my SSL interception software does not work and I can not see the data it is exchanging.

This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s