Sponsored by..

Friday, 7 February 2014

rbs.co.uk "Important Docs" spam

This fake spam claiming to be from the Royal Bank of Scotland has a malicious attachment:

Date:      Fri, 7 Feb 2014 15:44:19 +0530 [05:14:19 EST]
From:      Doris Clay [Doris@rbs.co.uk]
Subject:      Important Docs

Account report.

Tel:  01322 589422
Fax: 01322 296116
email: Doris@rbs.co.uk

This information is classified as Confidential unless otherwise stated.

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.
Attached is a file AccountReport.zip which in turn contains a malicious executable AccountReport.scr which has a VirusTotal detection rate of 4/50.

Automated analysis tools [1] [2] show a downlad of en encrypted file from the following locations:

Both those sites are hosted by Mochanin Corp in the US, indicating perhaps a wider problem with that host.

Recommended blocklist:

No comments: