Sponsored by..

Monday 13 May 2013

"Confidential - Secure Message from AMEX" spam / SecureMail.zip

This fake Amex email has a malicious attachment:

Date:      Tue, 14 May 2013 01:34:36 +0600 [15:34:36 EDT]
From:      American Express [Jarvis_Randall@aexp.com]
Subject:      Confidential - Secure Message from AMEX    

Secure Message
                   
The security of your personal information is of the utmost importance to American Express, so we have sent the attached as a secure electronic file.

Note: The attached file contains encrypted data.

If you have any questions, please call us at 800-748-8515, option 0. Representatives are available to assist you Monday through Thursday between 8:00 a.m. and 8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET.

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.

Thank you,
American Express

2012 American Express Company. All rights reserved.

There is an attachment SecureMail.zip which in turn contains an executable file SecureMail.exe which has an icon designed to look like a PDF file. VirusTotal results for the malware are just 15/46.

Comodo CAMAS reports the following characteristics and also a connection to a known malware C&C server mail.yaklasim.com on 212.58.4.13 (DorukNet, Turkey).

Size137216
MD520de8bad8bf8279e4084e9db461bd140
SHA1caacc00d68f41dad9b1abb02f9e243911f897852
SHA25618e2fc0b9386cadc31fb15cb38d9fa5d274f42b8127b349a14c962329b691ee7

The ThreatTrack report also shows a connection to 212.58.4.13 as well as 62.233.104.156 (IOMART, UK) and several other IPs that may form part of a botnet. Blocking EXE-in-ZIP files at the perimeter is a good move if you can do it. Update: the ThreatExpert report also shows a connection to 116.122.158.195 (Hanaro Telecom, Korea) which is probably also worth blocking.

Blocklist:
mail.yaklasim.com
212.58.4.13
62.233.104.156
116.122.158.195

No comments: