Amazon

Friday 13 February 2015

Blocked Payment!!! Dispute Number malware

Blocked Payment!!! Dispute Number email being spammed containing a word document with embedded macro.

These emails aren't from minutemanpress at all, they just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Message Header:

From: nitendra.sonare@in.rhenus.com
Subject: Blocked Payment!!! Dispute Number 881204
Message Body:
Hello.

The International SWIFT transfer (ID: 685712771), just launched from your checking account, was denied by the Electronic Payments Association.
Please check the Word document attached here to have more info about this issue.

NOTE: If you have any issues with opening the document, please save it on your PC before opening. A special details on the Word file must be opened only through Microsoft Word on Windows PC.
 Attachment filename (word document with macros)

42918Online payment details.doc
Md5 Hashes:
707a6640b0787383bff2e9474bdec287 [1]

Malware Macro document information:

VirusTotal Report [1] (hits 2/57 Virus Scanners)


Malwr Report [1]

Hybrid-Analysis Report [1]

Decoded Macro [1]

NOTE

The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

1 comment:

chris said...

Known subjects:

Final Warning. Dispute No [0-9](7) Final Warning. Dispute N [0-9](7) Final Warning. Case Number [0-9](7) Final Warning. Case No [0-9](7) Final Warning. Case N [0-9](7) Final Warning!!! Dispute Number [0-9](7) Final Warning!!! Dispute No [0-9](7) Final Warning!!! Dispute N [0-9](7) Final Warning!!! Case No [0-9](7) Final Warning!!! Case N [0-9](7) Final Warning! Dispute Number [0-9](7) Final Warning! Dispute N [0-9](7) Final Warning! Case Number [0-9](7) Final Warning! Case No [0-9](7) Final Warning! Case N [0-9](7) Final Notification. Dispute No [0-9](7) Final Notification. Case Number [0-9](7) Final Notification!!! Dispute No [0-9](7) Final Notification!!! Dispute N [0-9](7) Final Notification!!! Case Number [0-9](7) Final Notification!!! Case No [0-9](7) Final Notification! Dispute Number [0-9](7) Final Notification! Dispute No [0-9](7) Final Notification! Dispute N [0-9](7) Final Notification! Case Number [0-9](7) Final Notification! Case No [0-9](7) Final Notification! Case N [0-9](7) Final Alert. Dispute Number [0-9](7) Final Alert. Dispute No [0-9](7) Final Alert. Dispute N [0-9](7) Final Alert. Case Number [0-9](7) Final Alert. Case No [0-9](7) Final Alert!!! Dispute Number [0-9](7) Final Alert!!! Dispute No [0-9](7) Final Alert!!! Dispute N [0-9](7) Final Alert!!! Case Number [0-9](7) Final Alert! Dispute Number [0-9](7) Final Alert! Dispute No [0-9](7) Final Alert! Case Number [0-9](7) Final Alert! Case No [0-9](7) Cancelled Money Transfer. Dispute No [0-9](6) Cancelled Money Transfer. Dispute N [0-9](6) Cancelled Money Transfer. Case Number [0-9](6) Cancelled Money Transfer. Case No [0-9](6) Cancelled Money Transfer. Case N [0-9](6) Cancelled Money Transfer!!! Dispute Number [0-9](6) Cancelled Money Transfer!!! Dispute N [0-9](6) Cancelled Money Transfer!!! Case Number [0-9](6) Cancelled Money Transfer!!! Case No [0-9](6) Cancelled Money Transfer! Dispute Number [0-9](6) Cancelled Money Transfer! Dispute No [0-9](6) Cancelled Money Transfer! Case Number [0-9](6) Cancelled Money Transfer! Case N [0-9](6) Blocked Transaction. Dispute No [0-9](6) Blocked Transaction. Case Number [0-9](6) Blocked Transaction. Case No [0-9](6) Blocked Transaction!!! Dispute No [0-9](6) Blocked Transaction!!! Case No [0-9](6) Blocked Transaction! Dispute No [0-9](6) Blocked Transaction! Case N [0-9](6) Blocked Payment. Dispute N [0-9](6) Blocked Payment. Case No [0-9](6) Blocked Payment!!! Dispute Number [0-9](6) Blocked Payment!!! Dispute N [0-9](6) Blocked Payment!!! Case Number [0-9](6) Blocked Payment!!! Case No [0-9](6) Blocked Payment! Dispute Number [0-9](6) Blocked Payment! Dispute N [0-9](6) Blocked Payment! Case Number [0-9](6) Blocked Payment! Case No [0-9](6) Blocked Payment! Case N [0-9](6) Blocked Money Transfer. Dispute N [0-9](6) Blocked Money Transfer. Dispute N [0-9](6) Blocked Money Transfer. Dispute N [0-9](6) Blocked Money Transfer. Case Number [0-9](6) Blocked Money Transfer. Case No [0-9](6) Blocked Money Transfer. Case No [0-9](6) Blocked Money Transfer!!! Dispute Number [0-9](6) Blocked Money Transfer!!! Dispute Number [0-9](6) Blocked Money Transfer!!! Dispute No [0-9](6) Blocked Money Transfer!!! Dispute No [0-9](6) Blocked Money Transfer!!! Dispute N [0-9](6) Blocked Money Transfer!!! Case Number [0-9](6) Blocked Money Transfer!!! Case Number [0-9](6) Blocked Money Transfer!!! Case No [0-9](6) Blocked Money Transfer!!! Case N [0-9](6) Blocked Money Transfer! Dispute No [0-9](6) Blocked Money Transfer! Case No [0-9](6)

/headache

The subjects will be different if/when they send the next batch, so start working on a mitigation strategy asap