Sponsored by..

Monday 13 May 2013

"Confidential - Secure Message from AMEX" spam / SecureMail.zip

This fake Amex email has a malicious attachment:

Date:      Tue, 14 May 2013 01:34:36 +0600 [15:34:36 EDT]
From:      American Express [Jarvis_Randall@aexp.com]
Subject:      Confidential - Secure Message from AMEX    

Secure Message
The security of your personal information is of the utmost importance to American Express, so we have sent the attached as a secure electronic file.

Note: The attached file contains encrypted data.

If you have any questions, please call us at 800-748-8515, option 0. Representatives are available to assist you Monday through Thursday between 8:00 a.m. and 8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET.

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.

Thank you,
American Express

2012 American Express Company. All rights reserved.

There is an attachment SecureMail.zip which in turn contains an executable file SecureMail.exe which has an icon designed to look like a PDF file. VirusTotal results for the malware are just 15/46.

Comodo CAMAS reports the following characteristics and also a connection to a known malware C&C server mail.yaklasim.com on (DorukNet, Turkey).


The ThreatTrack report also shows a connection to as well as (IOMART, UK) and several other IPs that may form part of a botnet. Blocking EXE-in-ZIP files at the perimeter is a good move if you can do it. Update: the ThreatExpert report also shows a connection to (Hanaro Telecom, Korea) which is probably also worth blocking.


No comments: