Thursday, 12 September 2013

QuickBooks spam /

This fake QuickBooks spam has a malicious attachment:

Date:      Thu, 12 Sep 2013 20:29:17 +0200 [14:29:17 EDT]
From:      QuickBooks Invoice []
Subject:      Important - Payment Overdue

Please find attached your invoices for the past months. Remit the payment by 09/16/2013 as outlines under our "Payment Terms" agreement.

Thank you for your business,

Quentin Sprague

This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you. 
The attachment is which in turn contains a malicious executable Invoice_20130912.exe (note the date is encoded into the filename). The detection rate at VirusTotal is just 3/46.

Automated analysis [1] [2] [3] [4] shows that amongst other things, the file attempt to communicate with the domain on an apparently compromised server at which has been seen before.

Given that there are now several domains serving malware on the same server [1] [2] it is probably safe to assume that all the domains on that server are malicious and should be blocked.

Recommended blocklist:

No comments: