This fake American Express Payment Network spam has a malicious attachment.Date: Fri, 7 Jun 2013 20:41:25 +0600 [10:41:25 EDT]Attached to the email is an archive file called CD0607213.389710762910.zip which in turn contains an executable named CD06072013.239871839.exe (note that the date is included in the filename). Virustotal reports that just 8/46 anti-virus scanners detect it.
From: "PAYVESUPPORT@AEXP.COM" [PAYVESUPPORT@AEXP.COM]
Subject: PAYVE - Remit file
A payment(s) to your company has been processed through the American Express Payment
Network.
The remittance details for the payment(s) are attached (CD06072013.389710762910.zip).
- The remittance file contains invoice information passed by your buyer. Please
contact your buyer
for additional information not available in the file.
- The funds associated with this payment will be deposited into your bank account
according to the
terms of your American Express merchant agreement and may be combined with other
American Express deposits.
For additional information about Deposits, Fees, or your American Express merchant
agreement:
Contact American Express Merchant Services at 1-800-528-0265 Monday to Friday,
8:00 AM to 8:00 PM ET. - You can also view PAYVE payment and invoice level details
using My Merchant Account/Online Merchant Services.
If you are not enrolled in My Merchant Account/OMS, you can do so at
www.americanexpress.com/mymerchantaccount
or call us at 1-866-220-3581, Monday - Friday between 9:00 AM-7:30 PM ET, and we'll
be glad to help you.
For quick and easy enrollment, please have your American Express Merchant Number,
bank account ABA (routing number)
and DDA (account number) on hand.
This customer service e-mail was sent to you by American Express. You may receive
customer service e-mails even if you have unsubscribed from marketing e-mails from
American Express.
Copyright 2013 American Express Company. All rights reserved Contact Customer Service:
https://www.americanexpress.com/messagecenter
******************************************************************************
"This message and any attachments are solely for the intended recipient and may contain
confidential or privileged information. If you are not the intended recipient, any
disclosure, copying, use, or distribution of the information included in this message and
any attachments is prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this message and any
attachments. Thank you."
******************************************************************************
The Comodo CAMAS report gives some details about the malware, including the following checksums:
| MD5 | fd18576bd4cf1baa8178ff4a2bef0849 |
| SHA1 | 8b8ba943393e52a3972c11603c3f1aa1fc053788 |
| SHA256 | f31ca8a9d429e98160183267eea67dd3a6e592757e045b2c35bb33d5e27d6875 |
The malware attempts to download further components from storeyourbox.com on 97.107.137.239 (Linode, US) which looks like a legitimate server that has been badly compromised. The following domains appear to be on the server, I would advise that they are all dangerous at the moment:
drjoycethomasderm.com
goodvaluemove.com
jacksonmoving.com
jacksonmoving.net
napervillie-movers.com
reebie.net
storageandmoving.net
storeyourbox.com
storeyourbox.net
storeyourthings.net
Update: the ThreatExpert report took a long time to process, but is quit interesting. It shows DNS queries for:
storeyourbox.com
storeyourbox.net
storeyourthings.net
drjoycethomasderm.com
www.archeting.it
www.errezeta.biz
190.147.81.28
207.204.5.170
The following URLs are accessed:
[donotclick]www.archeting.it/86zP.exe
[donotclick]www.errezeta.biz/ToSN79T.exe
[donotclick]190.147.81.28/yqRSQ.exe
[donotclick]207.204.5.170/PXVYGJx.exe
archeting.it and errezeta.biz are hosted on IPs belonging to Aruba S.p.A. in Italy (62.149.132.57 and 62.149.131.162 respectively). I've long suspected that there's a serious problem with Aruba due to a very high incidence of malware sites. Those are shared hosting IPs and as far as I can tell the rest of the sites on those servers are clean.
190.147.81.28 and 207.204.5.170 (Telmex, Colombia and Register.com US) have been seen before and don't seem to be shared hosts. I would strongly recommend blocking them.
No comments:
Post a Comment