Sanesecurity ClamAV blog: zero hour malware, phishing and scams: dridex

Datasharp UK Ltd - Monthly Invoice & Report - ebilling@datasharp.co emails with an attached document, is being spammed out. The document contains a macro.

The Word document has a random attachment, however these emails aren't from Datasharp UK Ltd
at all, they just being used to make the email look more genuine, ie. from a real company.

It's also worth remembering that the company itself may not have any knowledge of this attachment as it won't have come from their servers and IT systems.

They may not be able to tell you if it's malware or even help clean up your system.

Comment Update: "I Work for Datasharp - we are receiving a high volume of calls due to this email - please just treat as spam - delete and virus check No need to call in - the email was not sent from us. (14:38)"

Message Header:

From: {ebilling@datasharp.co}
Subject: DO-NOT-REPLY Datasharp UK Ltd - Monthly Invoice & Report
Date: Fri, 09 Jan 2015 14:42:47 +0700

Message Body:

THIS MESSAGE WAS SENT AUTOMATICALLY
Attached is your Invoice from Datasharp Hosted Services for this month.
To view your bill please go to www.datasharp.co.uk. Allow 24 hours before viewing this information.
For any queries relating to this bill, please contact hosted.services@datasharp.co.uk or call 01872 266644.
Please put your account number on your reply to prevent delays
Kind Regards
Ebilling

Invoice_2839240.doc

Md5 Hashes:

625dd97b2495691ea687adb122749508
94e5abd0bffe71c4e6b73a81c362fa5b

Malware Macro document information:

VirusTotal Report [1]
(hits 0/56 Virus Scanners)

VirusTotal Report [2]
(hits 0/56 Virus Scanners)

Malwr Report [1]

Decoded Macro [1]

Sanesecurity signatures are blocking this as: Sanesecurity.RogueDoc.0hr.20150109-0752

NOTE

The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,

Steve

Sanesecurity.com

The current wave of Word/Excel document based malware is usually trying to download the Dridex malware onto your system.

I can't take credit for this but an anonymous poster to pastebin kindly posted the currrent Dridex bot
settings to pastebin.

I've chopped out a lot of the code but here's the current list of banks that the Dridex bot looks
to grab information from:

(|\.)alstats\.com
.*\.2o7\.net
.*\.adnxs\.com
.*\.atdmt\.com
.*\.creativevirtual\.com
.*\.doubleclick\.net
.*\.intenthq\.com
.*\.jwpcdn\.com
.*\.levexis\.com
.*\.maxymiser\.net
.*\.mediaplex\.com
.*\.member-hsbc-group\.com
.*\.mookie1\.com
.*\.na1\.netsuite\.com
.*\.omtrdc\.net
.*\.parastorage\.com
.*\.servicetick\.com
.*\.serving-sys\.com
.*\.sessioncam\.com
.*\.smartsourceportal\.com
.*\.tiqcdn\.com
.*\.tribalfusion\.com
.*\.userreplay\.net
.*\.webtrendslive\.com
^https?://accounts.google.com/ServiceLoginAuth
^https?://aol.com/.*/login/
^https?://login.live.com/
^https?://login.yahoo.com/
advanced\-web\-analytics\.com
assets\.adobedtm\.com
b8k\.nationwide\.co\.uk
cdn\.bankofscotland\.co\.uk
cdn\.retail\.metrobankonline\.co\.uk
cdn\.riyadonline\.com
check\.bankofscotland\.co\.uk
check\.lloydsbank\.co\.uk
check\.tsb\.co\.uk
check2\.bankofscotland\.co\.uk
check2\.lloydsbank\.co\.uk
cs\.directnet\.com/dn/csd/u4F
cws\.bankline\.natwest\.com
cws\.bankline\.rbs\.com
grey\.smile\.co\.uk
http://business.aib.ie/(business|)login
http://www\.co\-operativebank\.co\.uk/business/businessonlinebanking/bobs\-noticeboard
http://www\.co\-operativebank\.co\.uk/corporate/fdo\-noticeboard
http://www\d*\.secure\.hsbcnet\.com/uims/content/public/hibm/logon/logon\.html
http://ya\.ru
https://(corpebankasia|corpebank)\.icbc\.com\.cn/icbc/corporbank/index.*\.jsp(\?|$)
https://(edi|del|hkg|lon|sta)\.my\.rbs\.com
https://(retail|corporate)\.metrobankonline\.co\.uk
https://.*/fi\d+/bb/logon
https://.*\.directnet\.com/dn/c/cls/auth
https://.*business\.lloydsbank\.co\.uk/business
https://access\.rbsm\.com/logon/(password|dp300)/.+\.fcc(\?|$)
https://ambank\.amonline\.com\.my
https://apib\d*\.anz\.com/apinetbank/(Startup|LoginEsInetANZ)\.aspx(\?|$)
https://bank\.barclays\.co\.uk/olb/auth/LoginLink\.action
https://banking\.bankofscotland\.co\.uk/Logon/Logon\.aspx(\?|$)
https://banking\.lloydsbank\.com/Logon/logon\.aspx(\?|$)
https://banking\.mashreqbank\.com/FID/login\.aspx
https://banking\.triodos\.co\.uk/ib\-seam/login\.seam\?loginType=dp550
https://bbank\d+\.ybonline\.co\.uk/ifdu/ifdlm\-web/login\.ctl
https://bbmy\.ocbc\.com
https://biz\.hkbea\-cyberbanking\.com/servlet/MA01Show(\?|$)
https://biz\.uob\.com\.my/ELO/login\.jsp
https://bizibanking\.bangkokbank\.com/bblamsui/Signon.*\.aspx
https://business\.co\-operativebank\.co\.uk/corp/BANKAWAY
https://business\.santander\.co\.uk/LGSBBI\_NS\_ENS/
https://business\d*\.danskebank\.(co\.uk|com)/pub/logon/logon\.aspx
https://cardservicing\.mint\.co\.uk/RBSG\_Consumer/Login\.do
https://cardsonline\-commercial\.com/RBSG\_Commercial/.*Login\.do
https://cashmanagement\.barclays\.net/portalservices/forms/login\.pser
https://cashmanagement\.barclays\.net/portalservices/forms/login\.pser\?TYPE.+cashmanagement
https://cbfm\.saas\.cashfac\.com/cbfm/
https://cbionline\.cbi\.ae/bus/security/companyLogin\.jsp
https://cbs\.ncbchina\.cn/corporbank/login\_basic\_e\.jsp(\?|$)
https://cib\.affinonline\.com/business/login\.html
https://cib\.bochk\.com/login/cib\_login012\_.*\.jsp(\?|$)
https://cib\.bochk\.com/login/fis/cib\_login012\_.*\.jsp(\?|$)
https://cib\.icicibank\.com\.sg/CIBSGAPP/BANKAWAY(\?|$)
https://cib\.uab\.ae/
https://clientlogin\.ibb\.ubs\.com/login(\?|$)
https://comnet\.pbz\.hr/PbzComnetWeb/app/logon\.html
https://connect\.barclays\.com/.*authen
https://corporate\.adcb\.com/corporateWeb/
https://corporate\.cbq\.com\.qa
https://corporate\.santander\.co\.uk/LOGSCU_NS_ENS/
https://direkt\.rba\.hr/cgi\-bin/ppz2/start/rbat\.jsp
https://e\-finance\.postfinance\.ch/(ef/secure|secure/fp)/html/
https://eadibcorp\.adib\.ae/cb/servlet/cb/jsp\-ns/login\.jsp
https://eadibcorp\.adib\.ae/cb/servlet/cb/jsp\-ns/login2\.jsp
https://eb\.bankcomm\.com\.hk/eb/login\.action(\?|$)
https://ebank\.eonbank\.com\.my/cashmgmt/security/commonLogin\.jsp($|\?)
https://ebank\.kasikornbankgroup\.com/kbiznet/login.*\.html
https://ebanking\-ch\d+\.ubs\.com/workbench/Index\.do
https://ebusiness\.hangseng\.com/1/2/
https://elementa\.otpbanka\.hr/gradjani/.*/foweb/nb/eLEMENTa
https://fdonline\.co\-operativebank\.co\.uk/corp/BANKAWAY
https://fiepay\.mashreqbank\.com/Login\.asp
https://home\d*\.cybusinessonline\.co\.uk/lmgru.*/ceblm\-web/
https://home\d+\.cbonline.co\.uk/ralu.*/reglm\-web/login\.ctl
https://home\d+\.ybonline.co\.uk/ralu/reglm\-web/login\.ctl
https://ib\.bankmandiri\.co\.id/retail/Login\.do
https://ib\.bri\.co\.id/ib\-bri/Login\.html
https://ib\d*\.npbs\.co\.uk/IB\.Web/Login\.aspx
https://ibank\.agribank\.com\.vn/ibank/index\.jsp
https://ibank\.bni\.co\.id/corp/AuthenticationController
https://ibank\.bri\.co\.id/cms/
https://ibank\.hncb\.com\.hk/netbank/pages/jsp/HKLogin/html/HKLogin\_en\.jsp(\?|$)
https://ibank\.klikbca\.com
https://ibank\.standardchartered\.com\.hk/nfs/login\.htm(\?|$)
https://ibank\.standardchartered\.com\.sg/nfs/login\.htm(\?|$)
https://ibank\d*\.bib\.barclays\.com/logon/
https://ibank1\.bib\.barclays\.com/logon/bibapplication.+LOGON\.VALIDATE\.SIGNED
https://ibb\.aibgb1\.co\.uk/ibb/controller
https://ibps\.hpb\.hr/HPB\.iBank\.IBPS\.Web/login\.iface
https://ibusinessbanking\.aib\.ie/ibb/controller
https://ideal\.dbs\.com/loginSubscriber/login/(SubscriberLoginServlet|pin\.jsp)
https://internet\-banking\.dbs\.com\.sg/IB/Welcome(\?|$)
https://internet\-banking\.hk\.dbs\.com/IB/Welcome(\?|$)
https://leumionline\.bankleumi\.co\.uk/my\.policy
https://lloydslink\.online\.lloydsbank\.com/Logon/Logon\.jsp
https://login\.smartbusiness\.ae/
https://logon\.reflex\.rhbbank\.com\.my/rhbcams/corporate/login\.jsp
https://mcm\.bankmandiri\.co\.id/corp/common/login\.do\?action=login
https://mcsign\.ba\-ca\.com/smartoffice/\_mcologon\?\.\.OASLogon
https://mib\.bankmandiri\.co\.id/sme/common/login\.do\?action=login
https://nbf\.ae/corporate/BANKAWAY(;|\?|$)
https://nbqonline\.ae/corp/BANKAWAY\?Action\.CorpUser\.Init
https://net\.pbz\.hr/pbz365/logon.*
https://netbanking\.mashreqbank\.com/B001/SMELogin\.jsp
https://netbanking\.mashreqbank\.com/EntlWeb/IbsJsps/orbilogin\.jsp
https://online\-business\.bankofscotland\.co\.uk/business/logon/login\.jsp(\?|$)
https://online\-business\.tsb\.co\.uk/business/logon/login\.jsp
https://online\.adambank\.com/eBankingAdamLogin/login
https://online\.bankofcyprus\.co\.uk/netteller/login\.faces
https://online\.coutts\.com/eBankingCouttsLogin/login
https://online\.dib\.ae/webapplication\.ui/localoperations/login/corporateloginpage\.aspx
https://online\.fgb\.ae/fgbcorporate/CorpLogin\.html?(\?|$)
https://online\.nbad\.com/iportalweb/iportal/jsps/orbilogin\.jsp
https://online\.ybs\.co\.uk/public/authentication/login1\.do
https://onlinebanking\.nationwide\.co\.uk/AccessManagement/Login
https://onlinebusiness\.lloydsbank\.co\.uk/business/logon/login\.jsp
https://private\.bankofsingapore\.com/IPBWBWeb/Login/.+\.aspx(\?|$)
https://professionalson\-line\.bankofscotlandbusiness\.co\.uk/\_mem\_bin/formslogin\.asp
https://rakbankonline\.ae/corp/BANKAWAY(;|\?|$)
https://s2b\.standardchartered\.com/ssoapp/(login\.jsp|core\.security\.login\.event)
https://secure\.cafbank\.org
https://securebank\.cahoot\.com/servlet/com\.aquariussecurity\.bks\.security\.authentication\.servlet\.LoginEntryServletBKS
https://singapore\.lbbw\-business\.com/LBBWCorpWeb/login/.+\.action(\?|$)
https://sme\.standardchartered\.com/commonapp/core\.security\.vascochallenge\.event
https://sslsecure\.maybank\.com\.sg/cgi\-bin/mbs/scripts/mbb\_login\.jsp(\?|$)
https://uniservices\d*\.uobgroup\.com/(ELO/login\.jsp|wpe/ca/login\.do|wpe/ca/loginForm\.jsp)(\;|\?|$)
https://vpn.*\.sjp\.co\.uk/vpn/vpnloginpage\.html
https://vpn\.tarumanagara\.com/\+CSCOE\+/logon\.html
https://ws\d+\.kasikornbank\.com/baliweb/\d+/site/defaultskin/.*/html/static/logon\.htm
https://www\.allianceonline\.net\.my/Corporate/welcome\.htm
https://www\.amesecurities\.com\.my/gc/main\.jsp
https://www\.bankislam\.biz/rib/login/index
https://www\.bankline\.natwest\.com/
https://www\.bankline\.natwest\.com/CWSLogon/
https://www\.bankline\.rbs\.com/
https://www\.bankline\.ulsterbank\.(ie|co\.uk)/
https://www\.bankline\.ulsterbank\.(ie|co\.uk)/CWSLogon/
https://www\.barclayswealth\.com/login/action/logon/unauthenticated/personal/loginDetails
https://www\.bizchannel\.cimb\.com\.sg/corp/common\d*/login\.do(\?|$)
https://www\.boi\-bol\.com/comLogon\.jsp
https://www\.boi\-bol\.com/newHome\.jsp
https://www\.business\.hsbc\.co\.uk/1/2/
https://www\.caterallenonline\.co\.uk/WebAccess\.dll
https://www\.cbdibusiness\.ae/cb/servlet/cb/login\.jsp($|\?)
https://www\.citibank\.com\.my/MYGCB/JPS/portal/Index\.do
https://www\.citibusiness\.citibank\.com\.sg/SGCBZ/JSO/signon/DisplayCinSignon\.do(\?|$)
https://www\.commercial\.hsbc\.com\.hk/1/2/.+
https://www\.credit\-suisse\.com\.sg/amserver/UI/Login(\?|$)
https://www\.danamonline\.com/onlinebanking/Login/lgn_new\.aspx
https://www\.ebanking\.cimbthai\.com/cash/logon\.jsp
https://www\.fbo\.fubonbank\.com\.hk/fboPortal/index\_e\.jsp(\?|$)
https://www\.fundsdirect\.co\.uk/bks/login\.aspx\?bksid=beaumont
https://www\.hongleongonline\.com\.my/business/public/main\.html
https://www\.hsbc\.co\.uk/1/2/
https://www\.hsbc\.com\.cn/1/2/.+
https://www\.hsbc\.com\.sg/1/2/.+
https://www\.hsbc\.com\.vn/1/2/
https://www\.hvbrsce\.com/ebanking/London/EXE/WBankDsp\.exe
https://www\.integrator\.barclays\.com/idc/html/LoginStep1\.html
https://www\.iombankibanking\.com/eai/IPB_EAI_Web/
https://www\.irakyat\.com\.my/retail/security/commonLogin\.jsp
https://www\.kbc\.be/
https://www\.maybank2e\.net/M2E/mbbcustomer/
https://www\.maybank2u\.com\.my/mbb/m2u/common/mbbLoginCheckAdapt\.do
https://www\.maybank2u\.com\.my/mbb/m2uNOW/common/mbbLoginCheckAdapt\.do
https://www\.mybsn\.com\.my/mybsn/login/login\.do
https://www\.mybusinessbank\.co\.uk/cs70\_banking/logon/slogon
https://www\.nwolb\.com/(login|default)\.aspx
https://www\.onlinebanking\.iombank\.com/(login|default)\.aspx
https://www\.onlinesbiglobal\.com/\S+/BANKAWAY($|\?|\;)
https://www\.otpbanka\.hr/english/welcome\.htm
https://www\.otpbanka\.hr/html/dobrodosli\.htm
https://www\.permatae\-business\.com/corp/common/login\.do\?action=login
https://www\.rbsdigital\.com/(login|default)\.aspx
https://www\.sbnet\.splitskabanka\.hr/priv/.*/dciweb\.htm
https://www\.tescobank\.com/sss/auth
https://www\.ucoebanking\.com/BankAwayRetail/.*/web/L001/retail/jsp/user/CorporateSignOn\.aspx(\?|$)
https://www\.ulsterbankanytimebanking\.co\.uk/(login|default)\.aspx
https://www\.unb\.com/uninet/main\_login\.asp
https://www\.unity\-online\.co\.uk
https://www\.vietcombank\.com\.vn/ibanking/Default\.aspx
https://www\.vietinbank\.vn/ipay/vbh/login\.do
https://www\.winglungbank\.com/corpbanking/logon/CbHomLogonInp\.jsp(\?|$)
https://www\.zaba\.hr/ebank/gradjani/InnerLogin\.jsp
https://www\d*\.secure\.hsbcnet\.com/uims/content/public/hibm/logon/usernameInput.+
https://www\d*\.secure\.hsbcnet\.com/uims/portal/IDV\_CAM10\_AUTHENTICATION(;|$)
https://www\d*\.secure\.hsbcnet\.com/uims/portal/IDV\_OTP\_CHALLENGE(;|$)
https://www\d+\.firstdirect\.com/1/2/
https?://www.rbs\.co\.uk/corporate/electronic\-services/g1/bankline\.ashx
https?://www\.business\.natwest\.com/afb/public/nwb/AFBRoot/mainhome/2morover/accounts
https?://www\.cybusinessonline\.co\.uk/essential\-maintenance/fraud\-message
https?://www\.lloydsbankcommercial\.com/servicemessage
https\://.*/tdsecure/intro\.jsp.*]]
https\://.*bankofscotland\.co\.uk/personal.*]]
https\://.*halifax-online\.co\.uk/personal.*]]
https\://.*lloydsbank\.co\.uk/personal.*]]
https\://.*personal\.co-operativebank\.co\.uk.*]]
https\://.*tsb\.co\.uk/personal.*]]
https\://3ds\.cardcenter\.ch/acspage/cap\?RID\=.*]]
https\://3ds\.jccsecure\.com/acspage/cap\?RID\=.*]]
https\://3dsecure\.acb\.com\.vn/ACB/jsp/.*]]
https\://3dsecure\.icscards\.nl/acspage/cap\?RID\=.*]]
https\://3dsecure\.ing\.ro/acs/auth/.*]]
https\://3dsecure\.paylife\.at/acspage/cap\?RID\=.*]]
https\://acs-ch\.cal-online\.co\.il/acspage/cap\?RID\=.*]]
https\://acs\.icicibank\.com/acspage/cap\?RID\=.*]]
https\://acs\.netcetera\.ch/acspage/cap\?RID\=.*]]
https\://acs\.onlinesbi\.com/sbi/jsp/.*]]
https\://acs\.sia\.eu/cartasi/pareq/.*]]
https\://acs\.swisscard\.ch/acspage/cap\?RID\=.*]]
https\://acs1\.viseca\.ch/acspage/cap\?RID\=.*]]
https\://acs3\.3dsecure\.no/mdpayacs/pareq.*]]
https\://acs4\.3dsecure\.no/mdpayacs/pareq.*]]
https\://alphabank\.cardinalcommerce\.com/transaction/.*]]
https\://avantcard\.cardinalcommerce\.com/transaction/.*]]
https\://bankaljazira\.cardinalcommerce\.com/transaction/.*]]
https\://cap\.securecode\.com/acspage/cap\?RID\=.*]]
https\://cards\.indusind\.com/IndusindBank/jsp/.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/AndhraBank/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/BOB/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/BOBCards/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/CanaraBank/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/ComBank/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/CorporationBank/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/DenaBank/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/FederalBank/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/IndianBank/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/IOB/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/JKBank/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/KotakBank/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/KVB/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/SeylanBank/server/AccessControlServer.*]]
https\://cardsecurity\.enstage\.com/ACSWeb/EnrollWeb/UCOBank/server/AccessControlServer.*]]
https\://cardsecurity\.standardchartered\.com/acspage/cap\?RID\=.*]]
https\://cbi\.electracard\.com/cbi/jsp/.*]]
https\://corpbank\.electracard\.com/corpbank/jsp/.*]]
https\://cosacs\.electrapay\.com/CosmosBank/jsp/.*]]
https\://eurobankmc\.cardinalcommerce\.com/.*]]
https\://eurobankvisa\.cardinalcommerce\.com/.*]]
https\://i3d\.borica\.bg/acspage/cap\?RID\=.*]]
https\://ibqmc\.cardinalcommerce\.com/.*]]
https\://ibqvisa\.cardinalcommerce\.com/.*]]
https\://kfh-b\.cardinalcommerce\.com/transaction/.*]]
https\://login\.myproducts\.tescobank\.com/arcotafm/saml/controllerCustomTB\.jsp.*]]
https\://marfinbank\.cardinalcommerce\.com/transaction/.*]]
https\://netsafe\.hdfcbank\.com/ACSWeb/jsp/.*]]
https\://pnb\.electracard\.com/pnb/jsp/.*]]
https\://sambabankmc\.cardinalcommerce\.com/.*]]
https\://sambabankvisa\.cardinalcommerce\.com/.*]]
https\://santanderpbmc\.cardinalcommerce\.com/.*]]
https\://santanderpbvisa\.cardinalcommerce\.com/.*]]
https\://savcreditmc\.cardinalcommerce\.com/.*]]
https\://savcreditvisa\.cardinalcommerce\.com/.*]]
https\://secure-code\.mlp\.de/acspage/cap\?RID\=.*]]
https\://secure.*\.arcot\.com/acspage/cap\?RID\=.*]]
https\://secure\.axisbank\.com/ACSWeb/EnrollWeb/AxisBank/server/AccessControlServer.*]]
https\://secure\.edb\.com/d3SecureAuthce2/d3Secure/authentication/post.*]]
https\://securecode\.abnamro\.nl/acspage/cap\?RID\=.*]]
https\://securecode\.ing\.nl/acspage/cap\?RID\=.*]]
https\://secureonline\.idbibank\.com/ACSWeb/EnrollWeb/IDBIBank/auth/SCode\.jsp.*]]
https\://secureonline\.idbibank\.com/ACSWeb/EnrollWeb/IDBIBank/auth/VBV\.jsp.*]]
https\://secureonline\.idbibank\.com/ACSWeb/EnrollWeb/IDBIBank/server/AccessControlServer.*]]
https\://sibacs\.electrapay\.com/SouthIndianBank/jsp/.*]]
https\://sparda\.wlp-acs\.com/flowGlobal\.wflow.*]]
https\://stanbicibtcbankweb\.cardinalcommerce\.com/transaction/.*]]
https\://thinkmoney\.cardinalcommerce\.com/.*]]
https\://tsys\.arcot\.com/acspage/cap\?RID\=.*]]
https\://ubagroup\.cardinalcommerce\.com/transaction/.*]]
https\://ubi\.electracard\.com/ubi/jsp/.*]]
https\://www\.3dsecure\.icicibank\.com/ACSWeb/EnrollWeb/ICICIBank/server/AccessControlServer.*]]
https\://www\.citibank\.co\.in/acspage/cap_nsapi\.so\?RID\=.*]]
https\://www\.monetaonline\.it/acs/insertPassword\?brand\=MasterCard.*]]
https\://www\.monetaonline\.it/acs/insertPassword\?brand\=Visa.*]]
https\://www\.mycardsecure\.com/acspage/cap\.dll\?RID\=.*]]
https\://www\.sebkort\.com/skm/acspage/cap\?RID\=.*]]
https\://www\.securepay\.hsbc\.co\.in/SecurePay/servlet/Authenticate.*]]
https\://www\.securesuite\.co\.uk/aib/tdsecure/pa\.jsp.*aib\.mc&.*]]
https\://www\.securesuite\.co\.uk/aib/tdsecure/pa\.jsp.*aib\.visa&.*]]
https\://www\.securesuite\.co\.uk/aib/tdsecure/pa\.jsp.*ftb\.mc&.*]]
https\://www\.securesuite\.co\.uk/aib/tdsecure/pa\.jsp.*ftb\.visa&.*]]
https\://www\.securesuite\.co\.uk/aib/tdsecure/pa\.jsp.*SAGA&.*]]
images\.coventrybuildingsociety\.co\.uk
img3\.moneygram\.com
indigo\.co\-operativebank\.co\.uk
iss\.gtbank\.com
lab\.lloydsbank\.com
liveperson\.net
marketing\.bankofscotland\.co\.uk
marketing\.halifax\-online\.co\.uk
marketing\.lloydsbank\.co\.uk
marketing\.tsb\.co\.uk
mc3\.retail\.santander\.co\.uk
mcmprod\.hsbc\.co\.uk
media\.barclays\.co\.uk
metrics\.barclays\.co\.uk
mujcz\.erasvet\.cz
nsc\.natwest\.com
nsc\.rbs\.co\.uk
nsc\.ulsterbank\.co\.uk
pioneer\.co\-operativebank\.co\.uk
press\.retail\.santander\.co\.uk
rac\.bankia\.es
reporting\.cbonline\.co\.uk
resources\.barclays\.co\.uk
road\.nationwide\.co\.uk
roll\.nationwide\.co\.uk
room\.business\.santander\.co\.uk
sc\.natwest\.com
sc\.rbs\.co\.uk
sc\.ulsterbank\.co\.uk
smetrics\.barclays\.co\.uk
smetrics\.nationwide\.co\.uk
sogecashnet\.sgeb\.bg
splash-screen\.net
staticres\.klikbca\.com
sucmetrics\.unicredit\.it
tppa\.bmo\.com
tts\.dlbank\.be
u8n\.business\.santander\.co\.uk
uni\.ibank\.nbg\.gr
web12\.columbiabank\.com
webtrends\.com
www\.analytics\-control\.com
www\.bankline\.natwest\.com/CWSLogon/analytics
www\.bankline\.rbs\.com/CWSLogon/analytics
www\.bankline\.ulsterbank\.co\.uk/CWSLogon/analytics
www\.bankline\.ulsterbank\.ie/CWSLogon/analytics
www\.t32\.pnc\.com
www3\.bankline\.natwest\.com
www3\.bankline\.rbs\.com
www3\.bankline\.ulsterbank\.co\.uk
www3\.bankline\.ulsterbank\.ie
www7\.nwolb\.com
www7\.onlinebanking\.natwestoffshore\.com
www7\.rbsdigital\.com
www7\.secure\.investec\.com
www7\.suntrust\.com
www7\.ulsterbankanytimebanking\.co\.uk
www7\.ulsterbankanytimebanking\.ie
ya\.ru
yellow\.co\-operativebank\.co\.uk
zaba\.hr/ezaba/

As you can see it's a pretty comprehensive list!

The above list shows why Dridex is so dangerous, as it takes the following information when
you access the banks in the above list:

Take Screenshots when you access something from the above list.
Records Formswhen you access something from the above list.
Eg. (Username/Password/Date of Birth and pretty much any field that you type in)

It also grabs this information from the following browsers:

Internet Explorer
Firefox
Chrome
Opera

In short, don't click on any of the current Word/Excel malware, it's not good.

Cheers,

Steve
Sanesecurity.com

Sanesecurity ClamAV blog: zero hour malware, phishing and scams

Amazon3

Pages

Amazon

Monday, 12 January 2015

Invoice from simply carpets of Keynsham Ltd document malware

Friday, 9 January 2015

Datasharp UK Ltd - Monthly Invoice & Report - ebilling@datasharp.co word malware

Thursday, 8 January 2015

word excel macro malware Dridex bot