Sponsored by..

Monday 30 September 2013

Wells Fargo "Important Documents" spam with a malicious ZIP file

This fake Wells Fargo spam comes with a malicious attachment:

Date:      Mon, 30 Sep 2013 11:54:15 -0600 [13:54:15 EDT]
From:      Bryon Faulkner [Bryon.Faulkner@wellsfargo.com]
Subject:      Important Documents


Please review attached documents.

Bryon Faulkner
Wells Fargo Advisors
817-527-6769 office
817-380-3921 cell Bryon.Faulkner@wellsfargo.com

Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE

Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.  
The attached document is starts with "Documents_" and then has the first part of the recipient's email address as part of the filename. Or that's the way it is meant to work because in practice it will probably be a different recipient in the same domain. Inside is an executable file with the date encoded into the filename (in this case Documents_09302013.exe).

The executable file is (obviously) malware, and has a VirusTotal detection rate of just 3/48. Automated analysis [1] [2] [3] shows an attempted connection to the site demandtosupply.com on 84.22.177.37 (ioMart, UK) which is a server spotted in a similar attack a few weeks ago.

Unfortunately, where more than one domain on a server is compromised then it looks like the bad guys have complete control of the server and can do what they like. There are a number of legitimate sites (including one IT security company) on this box (listed below), so exercise caution if deciding to block them.

Recommended blocklist:
84.22.177.37
demandtosupply.com
ce-cloud.com

Sites hosted on 84.22.177.37, for information only:
agoraclinic.co.uk
agoraclinic.com
agorafertility.co.uk
agorafertility.com
assetprotector.co.uk
avicamhomes.co.uk
avicamhomes.com
axiom-ltd.com
batchy.net
bebesta.com
bebesta.org
brighton-cloud.com
cavdb.co.uk
cav-it.com
ce-cloud.com
chriscatering.co.uk
computer-eyez.co.uk
computereyez.com
computer-eyez.com
crewcutdiamond.co.uk
demandtosupply.com
eurovehiclecontracts.co.uk
eyezhosting.net
eyezonline.net
gatwicksaab.co.uk
guardyourmail.co.uk
guardyourmail.com
guidetoveganliving.org.uk
hmbookkeeping.co.uk
i-filter.co.uk
igloosecurity.com
infacom.co.uk
is-it-ok.co.uk
is-it-ok.com
lanoguard.co.uk
mwfencing.co.uk
newhavenplumbingservices.co.uk
oddsquad.co.uk
pentruder.co.uk
planetdiamonduk.com
plugtugs.co.uk
plug-tugs.co.uk
plugtugs.com
plug-tugs.com
prestige-products.co.uk
producepackdeliver.com
questsolutions.co.uk
renewtech.co.uk
rippletech.co.uk
rockeyracing.com
rye4ukbreaks.co.uk
saab-city.co.uk
saab-kent.co.uk
saab-london.co.uk
saab-surrey.co.uk
shorelineaccountants.co.uk
smickersgang.com
southerntesting.co.uk
stconsult.co.uk
stepaheadnlp.co.uk
stepaheadnlp.com
stlc.co.uk
sussexcloud.com
sussex-cloud.com
taskercatchpole.com
thevintagehaven.co.uk
turnershillgarage.com
turnershillsaab.com
uk3.eyezonline.net
worldveganday.com
worldveganmonth.net
young-lee.co.uk

No comments: