Early this morning, right around the start of the business day over here in the states, we began seeing a malware campaign hitting our filters that masqueraded as UK music licensing firm PPL. Even though it looks like this was a cast net style attack where both US domains and British domains were targeted, the time of day this was launched certainly was centered around US targets starting their workday.
The email states that the recipient needs to pay licensing fees associated with playing recorded music at their premises. This is usually reserved for bars with jukeboxes or other businesses such as restaurants that play music for their guests or show television programs with copyrighted material. However, these emails weren't only sent to businesses that this would apply to, they were sent to a huge swatch of possible victims regardless of their services provided. The information provided in the email is well presented with links that actually lead to the PPL site and the corresponding information for them is also correct. The danger here lies in the attachment that is supposed to be an invoice for the incurred fees. It is a Word document by the name of "P_PP_INVN_02573466_01-43-52_03657322_NEWBUS_O_E.DOC", not the most eloquent of naming conventions, but likely busy on purpose to add to the confusion. This Word file, as has been popular as of late, contains a malicious macro that reaches out to the domain g6000424.ferozo.com in order to pull down more malicious files onto the victim machine. Furthermore, these files reach out to the IP 18.104.22.168 which belongs to a company in Thailand by the name of Internet Thailand Company Limited, which appears to be a cloud service provider. One of the files downloaded named "10.exe" belongs to the Dridex family of banking trojans which are commonly found in these malicious macro style attacks. Dridex relies on these Word documents and associated macros to steal online banking credentials.