Sponsored by..

Thursday, 8 August 2013

Citibank spam / Loan_08082013.exe

This fake Citibank spam comes with a malicious attachment:

Date:      Thu, 8 Aug 2013 13:09:04 -0500 [14:09:04 EDT]
From:      Erin_Gay [Erin_Gay@citibank.com]
Subject:      RE: Loan Approved

Your documents are ready , please sign them and email them back.

Thank you

Erin_Gay
Level III Account Management
817-835-6023 office
817-074-9181 cell Erin_Gay@citibank.com

Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE

The security of personal information about you is our priority. We protect this
information by maintaining physical, electronic, and procedural safeguards that meet
applicable law. We train our employees in the proper handling of personal information.
When we use other companies to provide services for us, we require them to protect the
confidentiality of personal information they receive.

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.

The attachment is in the format Loan.recipient-name.zip and contains the executable Loan_08082013.exe (note the date is encoded into the filename).

The initial file is just a trojan downloader. VirusTotal results are 10/45. The Malwr analysis gives some excellent details of what is going in, included attempted downloads from the following locations:
[donotclick]www.arki.com/ponyb/gate.php
[donotclick]ftp.miniaturesbykim.com/fzKU1Y.exe
[donotclick]www.gfchargers.org/iwa4s1.exe
[donotclick]ftp.jason-tooling.com/nhdx.exe
[donotclick]www.rachelcondry.com/nLiZVHtr.exe

This downloads a Zeus variant with a very low detection rate of 4/45. The Malwr analysis for this part shows some apparent peer-to-peer traffic (note some of these IPs are legitimate and belong to Google):
88.84.107.110
184.39.153.172
116.15.200.129
108.210.216.93
79.10.245.249
130.251.186.103
75.32.154.102
50.65.158.6
99.146.98.160
69.246.97.159
76.226.134.206
88.68.122.74
200.91.49.183
157.100.168.252
99.181.10.118
108.234.133.110
108.240.232.212
108.74.172.39
178.238.233.29
69.115.119.227
99.26.122.34
173.194.67.99
23.25.36.93
173.194.67.94
174.96.27.128
2.158.160.98
123.201.22.66
187.214.18.148
174.141.40.194
97.67.116.122
173.209.69.2
103.1.71.126
204.155.62.5
97.96.126.195
208.118.221.212
50.78.124.173

No comments: