Sponsored by..

Tuesday, 13 August 2013

Bank of American spam / Instructions Secured E-mail.zip

This fake Bank of American spam has a malicious attachment:

Date:      Tue, 13 Aug 2013 09:35:13 -0500 [10:35:13 EDT]
From:      "Alphonso.Wilcox" [Alphonso.Wilcox@bankofamerica.com]
Subject:      Instructions Secured E-mail.pdf

I will be forwarding the application through a secure e-mail. Attached are instructions for you to create a password to open the secure e-mails from us. Just a bit of security for when we transmit confidential information.

Thanks,

Amado.Underwood
Bank of America
Principal Business Relationship Manager
Direct - 915-045-4237 office
Cell - 915-070-4128 cell
Amado.Underwood@bankofamerica.com

This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. 
Attached to the message is a file Instructions Secured E-mail.zip which contains an executable file Instructions Secured E-mail.exe with an icon to make it look like a PDF file.

The detection rate for this initial malware is just 9/45 at VirusTotal.

This is a pony/gate downloader [1] which attempts to download from [donotclick]guterprotectionperfection.com/ponyb/gate.php on 192.81.135.132 (Linode, US). This is the same IP as used in this attack, and it also utilises a hijacked GoDaddy domain.

The download then attempts to download a second stage from the from the following locations [2] (as well as installing all sorts of hooks into your system):
[donotclick]Missionsearchjobs.com/D5F7G.exe
[donotclick]betterbacksystems.com/kvq.exe
[donotclick]www.printdirectadvertising.com/vfMJH.exe
[donotclick]S381195155.onlinehome.us/vmkCQg8N.exe

The second stage has an even lower detection rate of just 3/45. The analyses by Comodo CAMAS and Malwr do give some detail as to how this part infects the target system.

Recommended blocklist:
192.81.135.132
guterprotectionperfection.com
Missionsearchjobs.com
betterbacksystems.com
www.printdirectadvertising.com
S381195155.onlinehome.us

Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)