Sponsored by..

Thursday, 2 April 2015

Malware spam: "invoice@bankline.ulsterbank.ie" / "Outstanding invoice"

This fake banking email leads to malware.

From:    invoice@bankline.ulsterbank.ie [invoice@bankline.ulsterbank.ie]
Date:    2 April 2015 at 11:46
Subject:    Outstanding invoice

Dear [victim],

Please find the attached copy invoice which is showing as unpaid on our ledger.

To download your invoice please click here

I would be grateful if you could look into this matter and advise on an expected payment date .

Courtney Mason

Credit Control

Tel: 0845 300 2952 

The link in the email leads to a download location at hightail.com (the sample I saw downloaded from https://www.hightail.com/download/e?phi_action=app/directDownload&fl=SWhZekZucVhVbTlFQlFJWjA4bnVnVE9yZWt5UmdteDRsUjJuWENHRzVZbz0) which is a file called Doc_0062119-LQ.zip which in turn contains the malicious executable Doc_0062119-LQ.scr.

The executable has a VirusTotal detection rate of 3/57 and has characteristics that identify it as Upatre. Automated analysis tools [1] [2] [3] [4] [5] show that it downloads additional components from:


 It also POSTs data to (Makiyivka Online Technologies Ltd, Ukraine) in a characteristic Upatre manner:

According to the Malwr report, the downloader drops a file gkkjxyz22.exe which has a detection rate of 2/57. This is probably the Dyre banking trojan.

Recommended blocklist:


No comments: