Sponsored by..

Tuesday 27 October 2015

Malware spam: "Cyngor Sir Ddinbych - Taliad BACS / Denbighshire CC - BACS Remittance" / credbills@denbighshire.gov.uk

I've never had malware spam in Welsh before.. this is not from Denbighsire County Council, but is instead a simple forgery with a malicious attachment:

From     "credbills@denbighshire.gov.uk" [credbills@denbighshire.gov.uk]
Date     Tue, 27 Oct 2015 17:46:01 +0530
Subject     Cyngor Sir Ddinbych - Taliad BACS / Denbighshire CC - BACS Remittance

Gweler manylion taliad BACS yn atodedig

Please see attached Bacs Remittance

Dilyn ni ar Twitter: http://twitter.com/cyngorsDd Follow us on Twitter: http://twitter.com/DenbighshireCC
Ymwelwch a ni ar-lein ar http://www.sirddinbych.gov.uk Visit us online at http://www.denbighshire.gov.uk
Mae'r wybodaeth a gynhwysir yn yr e-bost hwn ac unrhyw ffeiliau a drosglwyddir gydag
o wedi eu bwriadu yn unig ar gyfer pwy bynnag y cyfeirir ef ato neu atynt. Os ydych
wedi derbyn yr e-bost hwn drwy gamgymeriad, hysbyswch yr anfonwr ar unwaith os gwelwch
yn dda. Mae cynnwys yr e-bost yn cynrychioli barn yr unigolyn(ion) a enwir uchod
ac nid yw o angenrheidrwydd yn cynrychioli barn Cyngor Sir Ddinbych. Serch hynny,
fel Corff Cyhoeddus, efallai y bydd angen i Gyngor Sir Ddinbych ddatgelu'r e-bost
hwn [neu unrhyw ymateb iddo] dan ddarpariaethau deddfwriaethol. The information contained
in this e-mail message and any files transmitted with it is intended solely for the
use of the individual or entity to whom they are addressed. If you have received
this e-mail in error please notify the sender immediately. The contents of this e-mail
represents the views of the individual(s) named above and do not necessarily represent
the views of Denbighshire County Council. However, as a Public Body, Denbighshire
County Council may be required to disclose this e-mail [or any response to it] under
legislative provisions.
Attached is a file DenbighshireCC.zip which contains a malicious executable DenbighshireCC.scr. This has a VirusTotal detection rate of 5/55. The Hybrid Analysis report shows characterstics common to the Upatre/Dyre banking trojan. In particular it identifies traffic to a know bad IP:

197.149.90.166 (Cobranet, Nigeria)

I strongly recommend that you block traffic to that IP.



No comments: