Sponsored by..

Monday, 29 July 2013

"Key Secured Message" spam / SecureMessage.zip

This spam has a malicious attachment:

Date:      Mon, 29 Jul 2013 06:08:44 -0800 [10:08:44 EDT]
From:      "Marcia_Manning@key.com" [Marcia_Manning@key.com]
Subject:      Key Secured Message

You have received a Secured Message from:

Marcia_Manning@key.com

The attached file contains the encrypted message that you have received. To decrypt the
message use the following password -  nC4WR706

To read the encrypted message, complete the following steps:

-  Double-click the encrypted message file attachment to download the file to your
computer.
-  Select whether to open the file or save it to your hard drive. Opening the file
displays the attachment in a new browser window.
-  The message is password-protected, enter your password to open it. This e-mail and any
attachments are confidential and intended solely for the addressee and may also be
privileged or exempt from
disclosure under applicable law. If you are not the addressee, or have received this
e-mail in error, please notify the sender
immediately, delete it from your system and do not copy, disclose or otherwise act upon
any part of this e-mail or its attachments.

If you have concerns about the validity of this message, please contact the sender
directly. For questions about Key's e-mail encryption service, please contact technical
support at 888.764.5844.

Copyright © 2013 KeyCorp®. All Rights Reserved

The attachment SecureMessage.zip contains an executable SecureMessage.exe which has to be unencrypted with the password supplied in the email (which is kind of stupid for a supposedly secure mail), and this has a VirusTotal detection rate of just 6/46.

The Malwr analysis shows that this is a pony/gate downloader, first downloading from [donotclick]webmail.alsultantravel.com/ponyb/gate.php on 198.57.130.34 (Unified Layer / Bluehost, US) and then downloading one of the following:

[donotclick]a1bridaloutlet.co.uk/aiswY6.exe (5/45)
[donotclick]www.giftedintuitive.com/kQYjoPqY.exe (11/46)
[donotclick]198.61.134.93/MM75.exe (5/45)
[donotclick]paulalfrey.com/guBwFA.exe (5/46)

Recommended blocklist:
198.57.130.34
198.61.134.93
webmail.alsultantravel.com
alsultantravel.com
webmail.alsultantravel.info
a1bridaloutlet.co.uk
giftedintuitive.com
paulalfrey.com

2 comments:

MD Cole said...

I got the same thing this morning:

You have received a Secured Message from:

Davis_Costello@key.com

The attached file contains the encrypted message that you have received.

To decrypt the message use the following password - nC4WR706

To read the encrypted message, complete the following steps:

- Double-click the encrypted message file attachment to download the file to your computer.
- Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it.

This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.

If you have concerns about the validity of this message, please contact the sender directly. For questions about Key's e-mail encryption service, please contact technical support at 888.764.1442.

Copyright © 2013 KeyCorp®. All Rights Reserved

Robin Norris said...

The ones we saw of this yesterday contained Zeus.