Sponsored by..

Monday, 26 January 2015

Malware spam: "CardsOnLine@natwesti.com" / "Cards OnLine E-Statement E-Mail Notification"

This fake NatWest email leads to malware:

From:    CardsOnLine [CardsOnLine@natwesti.com]
Date:    26 January 2015 at 13:06
Subject:    Cards OnLine E-Statement E-Mail Notification


Dear Customer

Your July 30, 2014 E-Statement for account number xxxxxxxxxxxx6956 from Cards OnLine is now available.

For more information please check link: http://afreshperspective.com/NATWEST_BANK-MESSAGES-STORAGE/new.secured_document.html

Thank you
Cards OnLine

Many internet users have recently been targeted through bogus E-Mails by fraudsters claiming to be from their bank. These E-Mails ask customers to provide their internet banking security details in order to reactivate their account or verify an E-Mail address.

Please be on your guard against E-Mails that request any of your security details. If you receive an e-mail like this you must not respond.

Please remember that, for security reasons, apart from when you create them at registration or when you change your Internet Pin or Password, we will only ever ask you to enter random characters from your Internet PIN and Password when you logon to this service.

You must keep your security details secret. We would never ask you, by E-Mail, to enter (or record) these details in full and you must not respond to E-Mails asking for this information.

National Westminster Bank Plc, Registered in England No 929027. Registered
Office: 135 Bishopsgate, London EC2M 3UR. Authorised and regulated by the Financial Services Authority.

This E-Mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer. Internet E-Mails are not necessarily secure. National Westminster Bank Plc does not accept responsibility for changes made to this message after it was sent.

Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by National Westminster Bank Plc in this regard and the recipient should carry out such virus and other checks as it considers appropriate.
Users who click the link see a download page similar to this:

The link in the email downloads a randomly-named file in the format security_notice55838.zip which contains a malicious binary which will have a name similar to security_notice18074.exe.

This binary has a VirusTotal detection rate of 1/56 and is identified by Norman AV as Upatre. Automated analysis tools are not particularly enlightening [1] [2].


ager said...

It seems these guys have been cleaning up these pages pretty quick. I noticed this fresh perspective page serving up malacious javascripts not long ago. (Friday i think) When I revisted it seemed to have been removed on serving up a blank .js file (1kb). It looked like the content had been deleted. Now we see the same website again (A different page) involved in this attack. I just took a peak at this(urlquery) and its now displaying some odd sentences instead of the banking page.

It currently says "steam when intself could foot"
Wonder when we will see this site host something else.

Conrad Longmore said...

@ager - sometimes you get nonsense text instead of a payload.. for example, if the user-agent is wrong. Sometimes I think the javascript expires, and sometimes I think there is a limit counter on the number of times an IP can access the download.

I'm not quite sure of the trigger mechanism, but it does seem like a strategy to prevent analysis.

ager said...

interesting. So maybe worth probing with a curl request and trying different user agents to see if response is any different. Cant see any other way to do much about java expiring or IP counting. We are always going to be on the backfoot :)

Conrad Longmore said...

I read somewhere else that it is almost impossible to do with curl because of the way the script queries host information from the client. It does seem to work in IE on Windows, or on another browser emulating it with with a UA switcher.