Sponsored by..

Monday 24 June 2013

"Fiserv Secure Email Notification - TBTATU41DMJDT5B" spam / SecureMessage_TBTATU41DMJDT5B.zip

This fake FISERV email has a malicious attachment SecureMessage_TBTATU41DMJDT5B.zip containing a trojan named SecureMessage.exe:

Date:      Mon, 24 Jun 2013 07:27:59 -0600 [09:27:59 EDT]
From:      Fiserv Secure Notification [secure.notification@fiserv.com]
Subject:      Fiserv Secure Email Notification - TBTATU41DMJDT5B
Part(s):     
      2      SecureMessage_TBTATU41DMJDT5B.zip      [application/zip]      104 KB

You have received a secure message

Read your secure message by opening the attachment, SecureMessage_TBTATU41DMJDT5B.zip.

The attached file contains the encrypted message that you have received.

To decrypt the message use the following password -  SUgDu07dn

To read the encrypted message, complete the following steps:

 -  Double-click the encrypted message file attachment to download the file to your computer.
 -  Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
 -  The message is password-protected, enter your password to open it.

To access from a mobile device, forward this message to mobile@res.fiserv.com to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.710.6198.

2000-2013 Fiserv Secure Systems, Inc. All rights reserved. 
Ask yourself this question: why would you encrypt a message and then put the password in the email? Simple.. to get past virus scanners, of course! The VirusTotal detection for this malware is just 8/46 .

Other analysis is pending, the malware has the following checksums:
Size117248
MD5fdd154360854e2d9fee47a557b296519
SHA1d3de7f5514944807eadb641353ac9380f0c64607
SHA2561ef3302196f5c4cd9bf97c719e934d612a244a17a20f5a742c15d8203d477f59

UPDATE: the Malwr sandbox has an analysis here. URLs involved in downloading components are:
[donotclick]governodiantarcticland.org/ponyb/gate.php
[donotclick]maxprotection.de/N4k.exe
[donotclick]francescobotti-fashion.com/27ZDM9p.exe
[donotclick]liltommy.com/ep9C.exe
[donotclick]keep-smile.net/t4T.exe

No comments: