Sponsored by..

Friday, 19 December 2014

Malware spam: "Blocked Transaction. Case No 970332"

This fake ACH spam leads to malware:

Date:    19 December 2014 at 16:06
Subject:    Blocked Transaction. Case No 970332

The Automated Clearing House transaction (ID: 732021371), recently initiated from your online banking account, was rejected by the other financial institution.

Canceled ACH transaction
ACH file Case ID     083520
Transaction Amount     1458.42 USD
Sender e-mail     info@victimdomain
Reason of Termination     See attached statement

Please open the word file enclosed with this email to get more info about this issue. 
In the sample I have seen, the attachment is ACH transfer 1336.doc which despite the name is actually a .DOCX file, which has a VirusTotal dectection rate of 4/54. Inside are a series of images detailing how to turn off macro security.. which is a very bad idea.

If you are daft enough to enable macros, then this macro [pastebin] will run which will download a malicious binary from http://nikolesy.com/tmp/ten.exe, this has a VirusTotal detection rate of 8/51 as is identified as the Dridex banking trojan.

1 comment:

David said...

Well my bookkeeper has opened it on her computer and now I'm trying to figure out the solution. Anyone know how to effectively remove it?