{"id":13055,"date":"2022-04-11T11:31:31","date_gmt":"2022-04-11T11:31:31","guid":{"rendered":"https:\/\/myonlinesecurity.co.uk\/?p=13055"},"modified":"2023-04-03T11:19:23","modified_gmt":"2023-04-03T11:19:23","slug":"fake-your-sage-subscription-invoice-delivers-dridex-banking-trojan","status":"publish","type":"page","link":"https:\/\/myonlinesecurity.co.uk\/fake-your-sage-subscription-invoice-delivers-dridex-banking-trojan\/","title":{"rendered":"Fake Your Sage Subscription Invoice Delivers Dridex Banking Trojan"},"content":{"rendered":"
The next in the never ending series of Malware downloaders is an email with the subject of Your Sage subscription invoice is ready pretending to come from Sage which delivers Dridex banking trojan<\/p>\n
They use email addresses and subjects that will entice, scare or persuade the recipient to read the email and open the attachment.<\/p>\n
Sage has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.<\/p>\n
One of the emails looks like:<\/p>\n
From:<\/strong> Sage <kingsly.li@serialsystem.com><\/p>\n Date:<\/strong> Wed 25\/10\/2021 10:57<\/p>\n Subject<\/strong>: Your Sage subscription invoice is ready<\/p>\n Dear Client<\/em> The link in the email goes to a compromised or fraudulently set up OneDrive for business\/ SharePoint site where a zip file containing a .js file is downloaded. That eventually downloads the Dridex banking Trojan<\/p>\n https:\/\/tailoredpackaging-my.sharepoint.com\/personal\/bec_tailoredpackaging_com_au\/_layouts\/15\/guestaccess.aspx?docid=0b5a1a2799b6e419daf97f646640e195b&authkey=AduyYkbo5mf9IESLsGPE6yk<\/p>\n Sage subscription invoice.zip: Extracts to: Sage subscription invoice.js Current Virus total detections: Payload Security | Dridex Payload VirusTotal | Payload Security |<\/p>\n Received: from 5h.serialsystem.com ([203.116.7.90]:34868 helo=barracuda.serialsystem.com) All the alleged senders, amounts, reference numbers, Bank codes, companies, names of employees, employee positions, email addresses and phone numbers mentioned in the emails are all random. Some of these companies will exist and some won\u2019t. Don\u2019t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.<\/p>\n Please read our How to protect yourselves page<\/a> for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.<\/p>\n Previous campaigns over the last few weeks have delivered numerous different download sites and malware versions. There are frequently 5 or 6 and even up to 150 download locations on some days, sometimes delivering the exactly same malware from all locations and sometimes slightly different malware versions. Locky does update at frequent intervals during the day, sometimes as quickly as every hour, so you might get a different version of these nasty Ransomware.<\/p>\nBody Content:<\/strong><\/h3>\n
\nYour Sage subscription invoice is now ready to view.<\/em>
\nSage subscriptions<\/em>
\n\u2022 To view your Sage subscription invoice click here<\/em>
\nGot a question about your invoice?<\/em>
\nCall us on 0845 111 6605<\/em>
\nIf you\u2019re an Accountant, please call 0845 111 1140<\/em>
\nIf you\u2019re a Business Partner, please call 0845 111 7706<\/em>
\nKind Regards<\/em>
\nThe Sage UK Subscription Team<\/em>
\nPlease note: There is no unsubscribe option on this email, as it is a service message, not a marketing communication. This email was sent from an address that cannot accept replies. Please use the contact details above if you need to get in touch with us.<\/em><\/p>\nScreenshot:<\/strong><\/h3>\n
Email Headers:<\/strong><\/h3>\n
\n\n
\n \nIP<\/th>\n Hostname<\/th>\n City<\/th>\n Region<\/th>\n Country<\/th>\n Organisation<\/th>\n<\/tr>\n<\/thead>\n \n 203.116.7.90<\/i><\/td>\n 5h.serialsystem.com<\/td>\n Singapore<\/td>\n Central Singapore Community Development Council<\/td>\n SG<\/td>\n AS4657 Starhub Internet, Sin<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\nby knight.knighthosting.co.uk with esmtp (Exim 4.89)
\n(envelope-from <prvs=14710d4d24=kingsly.li@serialsystem.com>)
\nid 1e7IRP-0000at-OJ
\nfor [redacted]; Wed, 25 Oct 2021 10:57:40 +0100
\nX-ASG-Debug-ID: 1508925563-0daf9c16bd454990001-M92BjV
\nReceived: from mail.serialsystem.com ([192.168.11.92]) by barracuda.serialsystem.com with ESMTP id 8RDlkC21TRpLJFOB for <[redacted]>; Wed, 25 Oct 2021 17:59:26 +0800 (SGT)
\nX-Barracuda-Envelope-From: prvs=14710d4d24=kingsly.li@serialsystem.com
\nX-ASG-Whitelist: Client
\nDKIM-Signature: v=1; a=rsa-sha256; c=simple; d=serialsystem.com;
\ns=MDaemon; t=1508925449; x=1509530249;
\ni=kingsly.li@serialsystem.com; q=dns\/txt; h=Date:From:Message-ID:
\nSubject:MIME-Version:Content-Type:To:List-Unsubscribe; bh=Nn3G3u
\n2PTG8YSA2gm3oyCnwx3bAylYb3IWdBsyfUD30=; b=Y2wFu7Ge6LSBcEwHn737oF
\nKZwKTXhczu0UuClf1nvTczWmySMa28fAgfaDG2tlZ+kRe21CaJ5TyTq2zrcsDtsc
\nB0hz46W8WJr8XHvOnzBDDK6GpI2OCApBtBifIVuny\/LJN0wt644QlPy2KjRRwqP7
\nA4Pvnb\/eWXfyVbFM91hJ0=
\nX-MDAV-Result: clean
\nX-MDAV-Processed: mail.serialsystem.com, Wed, 25 Oct 2021 17:57:29 +0800
\nReceived: from 37.59.44.97 by mail.serialsystem.com (MDaemon PRO v16.0.2)
\nwith ESMTPA id md50032021982.msg for <[redacted]>;
\nWed, 25 Oct 2021 17:57:28 +0800
\nX-Spam-Processed: mail.serialsystem.com, Wed, 25 Oct 2021 17:57:28 +0800
\n(not processed: message from trusted or authenticated source)
\nX-MDRemoteIP: 37.59.44.97
\nX-MDHelo: 37.59.44.97
\nX-MDArrival-Date: Wed, 25 Oct 2021 17:57:28 +0800
\nX-Authenticated-Sender: kingsly.li@serialsystem.com
\nX-Return-Path: prvs=14710d4d24=kingsly.li@serialsystem.com
\nX-Envelope-From: kingsly.li@serialsystem.com
\nX-MDaemon-Deliver-To: [redacted] Date: Wed, 25 Oct 2021 02:57:22 -0700
\nFrom: \u201cSage\u201d <kingsly.li@serialsystem.com>
\nMessage-ID: <20171025.0257.22150.JavaMail.glassfish@NVM-P-SUB01>
\nSubject: Your Sage subscription invoice is ready
\nMIME-Version: 1.0
\nX-ASG-Orig-Subj: Your Sage subscription invoice is ready
\nContent-Type: multipart\/alternative; boundary=\u201d\u2014-=_Part_696edbcf732fdfdc\u201d
\nTo: Undisclosed recipients:;
\nList-Unsubscribe: <mailto:unsubscribe@serialsystem.com?subject=Unsubscribe>
\nX-Barracuda-Connect: UNKNOWN[192.168.11.92] X-Barracuda-Start-Time: 1508925565
\nX-Barracuda-URL: https:\/\/192.168.11.63:443\/cgi-mod\/mark.cgi
\nX-Virus-Scanned: by bsmtpd at serialsystem.com
\nX-Barracuda-Scan-Msg-Size: 2941
\nX-Barracuda-BRTS-Status: 1
\nX-Barracuda-BRTS-URL-Found: tailoredpackaging-my.sharepoint.com (*Spam.Unknown)<\/p>\n