Sponsored by..

Wednesday 30 September 2015

Malware spam: "FW : Incoming SWIFT" / "Clyde Medina" [Clyde.Medina@swift.com]

This fake banking email comes with a malicious attachment:

From     "Clyde Medina" [Clyde.Medina@swift.com]
Date     Wed, 30 Sep 2015 12:35:56 GMT
Subject     FW : Incoming SWIFT

We have received this documents from your bank regarding an incoming SWIFT transfer.

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom
the message was addressed. If you are not the intended recipient of this message,
please be advised that any dissemination, distribution, or use of the contents of
this message is strictly prohibited. If you received this message in error, please
notify the sender. Please also permanently delete all copies of the original message
and any attached documentation. Thank you.

Attached is a file SWIFT_transfer.zip which contains a malicious executable SWIFT_transfer.scr which currently has a detection rate of 2/56.

Automated analysis is pending, although the payload is almost definitely Upatre/Dyre. Please check back later.

UPDATE:
The Hybrid Analysis report shows Upatre/Dyre activity, including the malware phoning home to a familiar IP address of 197.149.90.166 in Nigeria which I recommend you block or monitor.

No comments: