Fake email from Transport for London contains malicious Word file


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Email from Transport for London”.

This email is send from the spoofed address “noresponse@cclondon.com” and has the following body:

Dear Customer,

Please open the attached file to view correspondence from Transport for
London.

If the attachment is in DOC format you may need Microsoft Word to
read or download this attachment.

Thank you for contacting Transport for London.

Business Operations
Customer Service Representative

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com

This email and any attachment are intended solely for the addressee, are strictly confidential and may be legally privileged. If you are not the intended recipient any reading, dissemination, copying or any other use or reliance is prohibited. If you have received this email in error please notify the sender immediately by email and then permanently delete the email.

The attached file AP0210780545.doc is a Word file that contains a macro that will download malware. The macro will try to download an executable from one of the following locations:

hxxp://jkw-sc.com/111/46.exe
hxxp://aimclickbang.com/111/46.exe
hxxp://www.haunersdorf.de/111/46.exe
hxxp://volpefurniture.com/111/46.exe

This file is saved as %TEMP%\wiley5.exe and is being detected by 4 of the 57 AV engines at Virus Total. Network traffic can be detected towards:

62.152.36.90 (Filanco Ltd, Russia)
89.28.83.228 (StarNet, Moldova)
185.12.95.191 (RuWeb CJSC, Russia)
185.15.185.201 (Colobridge, Germany)

The report shows that it drops a Dridex DLL witch is detected by 3 of the 57 AV engines at Virus Total.