Sponsored by..

Thursday, 16 May 2013

Wells Fargo and Citi spam / SecureMessage.zip and Securedoc.zip

This fake Wells Fargo message contains a malicious attachment:

Date:      Thu, 16 May 2013 23:24:38 +0800 [11:24:38 EDT]
From:      "Grover_Covington@wellsfargo.com" [Grover_Covington@wellsfargo.com]
Subject:      New Secure Message

Wells Fargo    

To Read This Message:


Look for and open SecureMessage.zip (typically at the top or bottom; location varies by email service).
Secure Message    

This message was sent to : [redacted]

Email Security Powered by Voltage IBE

Copyright 2013 Wells Fargo. All rights reserved

The attachment SecureMessage.zip contains a file SecureMessage.exe which has a SHA256 of 289bd82b66ed0c66f0e6a947cb61c928275c1053fa5d2b1119828217f61365ba and is only detected by 2/45 scanning engines at VirusTotal.

The second version is a fake Citi spam with an attachment Securedoc.zip which contains Securedoc.exe. This is the same executable with the same SHA256, just a different name.

Date:      Thu, 16 May 2013 10:16:27 -0500 [11:16:27 EDT]
From:      "secure.email@citi.com" [secure.email@citi.com]
Subject:      You have received a secure message

You have received a secure message

Read your secure message by opening the attachment, securedoc.html You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.

First time users - will need to register after opening the attachment.
About Email Encryption - http://www.citi.com/citi/citizen/privacy/email.htm
The ThreatExpert report reveals some information, but the best analysis is this ThreatTrack report. Between them they identify some IPs and domains worth blocking:

No comments: