Sponsored by..

Wednesday 18 March 2015

Malware spam: "JP Morgan Access [Carrie.Tolstedt@jpmorgan.com]" / "FW: Customer account docs"

This fake financial spam comes with a malicious attachment.


From:    JP Morgan Access [Carrie.Tolstedt@jpmorgan.com]
Date:    18 March 2015 at 17:49
Subject:    FW: Customer account docs


JP Morgan

We have received the following documents regarding your account, if you would like to confirm the changes please check / view the documents please click here.


Carrie Tolstedt
Carrie L. Tolstedt
Carrie.Tolstedt@chase.com
Senior Executive Vice President
Community Banking
J.P. Morgan Treasury and Securities Services

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.


As it happens, Carrie L Tolstedt is a real executive... at Wells Fargo. The lady in the picture is another Wells Fargo employee entirely.

But anyway, this is a simple forgery containing a link to a file at Cubby which downloads as Documents_JP3922PV8.zip and contains a malicious file Documents_JP3922PV8.exe which has a icon to make it look like an Adobe acrobat file.

The executable has a low VirusTotal detection rate of 3/57.  Various automated analysis tools [1] [2] [3] [4] show the malware downloading additional components from:

bej-it-solutions.com/pvt/ixusn.rtf
capslik.com/mandoc/ixusn.rtf


It then attempts to POST data to an IP at 109.230.131.95 (Vsevnet Ltd. Russia) which is a critical IP to block if you want to protect yourself against this type of Upatre / Dyre attack.

The Malwr report also shows that amongst other things it downloads an executable lwxzqrk36.exe which has a detection rate of just 2/57. That Malwr report also shows that it downloads and pops up a PDF about drone strikes.

Source: malwr.com
Presumably this PDF pops up to make the victim think that they have been duped into opening some politically-themed spam. Instead, they have actually installed the Dyre banking trojan.. in other words, the victim may well think that it is nothing serious when it really is.

The download locations for this Upatre/Dyre combination change all the time, but the IP address of 109.230.131.95  has been around for a little while. Also, it is a characteristic of this malware that it calls out to checkip.dyndns.org to determine the client IP address.. monitoring for traffic going to that location can be a useful indicator of infection.


ssssssssssss

No comments: