Sponsored by..

Friday, 23 August 2013

Wells Fargo spam / WellsFargo_08232013.exe

This fake Wells Fargo spam has a malicious attachment:

Date:      Fri, 23 Aug 2013 09:43:44 -0500 [10:43:44 EDT]
From:      Morris_Osborn@wellsfargo.com

Please review attached documents.

Wells Fargo Advisors
817-718-8096 office
817-610-5531 cell Morris_Osborn@wellsfargo.com

Investments in securities and insurance products are:

Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.
In this case there is an attachment WellsFargo.victimname.zip which contains a malicious executable WellsFargo_08232013.exe (note the date is encoded into the filename). The VirusTotal detection rate is just 4/45, but the file itself is unusually small (just 21Kb unzipped, 8Kb zipped) when I would normally expect to see the executable closer to 100Kb for this sort of malware.

What does it do? Well, the automated reports show it rummaging through various browser and address book data, and the ThreatTrack report [pdf] shows a DNS lookup of the domain huyontop.com plus what appears to be some peer-to-peer activity. Malwr, Comodo CAMAS and Anubis are somewhat less enlightening.

The WHOIS details for the domain huyontop.com appear to be valid (I won't list them here, look them up if you want), however it was only registered a few days ago. I can't tell you exactly what it is doing, but I would treat huyontop.com as being potentially malicious and block it if you can.

No comments: