Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Fake LogMeIn virus spam email claims your account needs to be updated and they sent a coupon code to encourage you.

Attached malicious .doc file has macro to download malware.


Subject: LogMeIn Promo Code - Get 50% off your next purchase  

 Dear client, 

In early January 2015, we have launched new versions of LogMeIn Central designed to deliver improved security to our customers.

For security reasons, every account must be updated to one of the new LogMeIn Central interfaces ( Central Basic , Central Plus , Central Premier ).

Coupon codes have been awarded to our clients, in order to encourage early subscription to the new interface.

Your account has been selected for a 50% discount on your next LogMein purchase.

The coupon code ( valid for 3 days ) and instructions on how to use it have been included in the attached document.

For more information regarding the new LogMeIn Central , visit our blog :

http://blog.logmein.com/it-management/year-central

Thank you for choosing LogMeIn

logmein_coupon_code.doc (50)

Header Examples:

Spoofs logmein.com in From headers and some random junk in Envelope (MAIL FROM) headers.

Received: from alicegate [79.15.69.153]
X-Envelope-From: enumerables272 @recrosby.com
From: "LogMeIn.com" <no-reply @logmein.com>
Subject: LogMeIn Promo Code - Get 50% off your next purchase

Received: from XOPLMAFU [88.107.169.254]
X-Envelope-From: benedictx0986 @riso.com
From: "LogMeIn.com" <no-reply @logmein.com>
Subject: LogMeIn Promo Code - Get 50% off your next purchase

Received: from host96-20-static.107-82-b.business.telecomitalia.it [82.107.20.96]
X-Envelope-From: ironsv36 @richardprescott.com
From: "LogMeIn.com" <no-reply @logmein.com>
Subject: LogMeIn Promo Code - Get 50% off your next purchase

Received: from dsl-sp-81-140-34-79.in-addr.broadbandscope.com [81.140.34.79]
X-Envelope-From: ines @rmbarchitects.com
From: "LogMeIn.com" <no-reply @logmein.com>
Subject: LogMeIn Promo Code - Get 50% off your next purchase

Malware

2 February 2015 

Attachment : malicious .doc file with macro : logmein_coupon_code.doc

VirusTotal report 

CAT-QuickHeal 	O97M.Dropper.AX	
Kaspersky Trojan-Downloader.MSWord.Agent.el

The .doc file wants you to enable macros :

Picture of .doc file telling you to enable macros.

An example of the macro can be found at this pastebin. It wants to download an executable from places like:

146.185.213.35/upd/install.exe 

Downloaded executable : install.exe ( tordal / hancitor )

VirusTotal report 

Kaspersky 	UDS:DangerousObject.Multi.Generic 

network traffic:
api.ipify.org (54.235.186.52)
ho7rcj6wucosa5bu.tor2web.org (38.229.70.4)
ho7rcj6wucosa5bu.tor2web.ru (166.78.144.80)

Malwr.com report 

So what is next?

This malware joins the infected computer to a network, called a botnet. The bot will be assigned work to do and sent other malware with which to do it. Spamming executables are popular choices.

Matthew Mesa also documented tordal/hancitor bots being sent Vawtrak / Gozi.

 If this was at least a little helpful, how about a +1, Like, or Tweet?