Sponsored by..

Thursday, 18 September 2014

"Important - New account invoice" spam leads to malware

This fake NatWest invoice (since when did banks send invoices?) leads to a malicious ZIP file.

From:     NatWest Invoice [invoice@natwest.com]
Date:     18 September 2014 11:06
Subject:     Important - New account invoice

  Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.

To view/download your invoice please click here or follow the link below :

https://www.nwolb.com/ServiceManagement/InvoicePageNoMenu.aspx?InvoiceCode=Invoice_712816

Thank you for choosing NatWest.

Important: Please do not respond to this message. It comes from an unattended mailbox.

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

The Royal Bank of Scotland International Limited trading as NatWest (NatWest). Registered Office: P.O. Box 64, Royal Bank House, 71 Bath Street, St. Helier, Jersey JE4 8PJ. Regulated by the Jersey Financial Services Commission.

The link in this particular email goes to bnsoutlaws.co.uk/qvgstopmdi/njfeziackv.html which then downloads a ZIP file from bnsoutlaws.co.uk/qvgstopmdi/Account_Document.zip which in turn contains a malicious executable Account_Document.scr which has a VirusTotal detection rate of just 1/53.

The ThreatTrack report [pdf] shows that the malware attempts to call home to:

188.165.204.210/1809uk1/NODE01/0/51-SP3/0/
188.165.204.210/1809uk1/NODE01/1/0/0/
188.165.204.210/1809uk1/NODE01/41/5/4/
liverpoolfc.bg/images/stories/1809uk1.shh


Recommended blocklist:
188.165.204.210
liverpoolfc.bg

UPDATE: bnsoutlaws.co.uk is now cleaned up, so you can un-block it.

UPDATE:
The same malware is also being pushed by a fake Lloyds Bank email..

From:     Lloyds Commercial Bank [secure@lloydsbank.com]
Date:     18 September 2014 11:45
Subject:     Important - Commercial Documents

Important account documents

Reference: C146
Case number: 68819453
Please review BACs documents.

Click link below, download and open document. (PDF Adobe file)
----------------------
http://fleabuster.com/dkklteqsrx/wlodznqmfc.html
-----------------------

Please note that the Terms and Conditions available below are the Bank's most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager. .

Yours faithfully

James Vance
Senior Manager, Lloyds Commercial Banking

Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.

Please remember we guarantee the security of messages sent by email. 

3 comments:

Pete Braven said...

I had the same junk dumped in my site bulletin board last week. They seem to have found a vulnerability in phpBB that allows a random folder and page dump. I also had a huge .tgz file in there which is of course gone now.
I suspect a bit of obscure buggy code recently found and not yet patched. Definitely a new one on me!

Andy Wallace said...

It got on bnsoutlaws.co.uk via an mchat plugin which has since been removed. The offending code got very little opportunity to propagate as it was contained and removed within 12 hours of infection.
The IP 188.165.204.210 listed in the blog has nothing to do with bnsoutlaws.co.uk and the site should not be blacklisted. At present the site is blacklisted on ESET but we intend to have that status removed as soon as we're confident the code is clean.

Conrad Longmore said...

@Andy, thanks for the update. I will note that the site is clean. 188.165.204.210 is a hub for this sort of infection, that's a critical thing to look for if you monitor web traffic.