Sponsored by..

Thursday 22 August 2013

"Remittance Docs 2982780" spam / Docs_08222013_218.exe

This fake Chase spam has a malicious attachment:

Date:      Thu, 22 Aug 2013 10:00:33 -0600 [12:00:33 EDT]
From:      Jed_Gregory [Jed_Gregory@chase.com]
Subject:      Remittance Docs 2982780

Please find attached the remittance 2982780.                                             
                                                            If you are unable to open the
attached file, please reply to this email        with a contact telephone number. The
Finance Dept will be in touch in          due course. Jed_Gregory
Chase Private Banking      Level III Officer
3 Times Square
New York, NY 10036
T. 212.525.8865
F. 212.884.2034
The attachment is in the format Docs_victimdomain.com.zip which contains an executable Docs_08222013_218.exe (note that the date is encoded into the file). The VirusTotal detection rate for this is a moderate 16/46. The Malwr analysis shows that this is a Pony/Gate downloader which attempts to connect to the following URLs:
[donotclick]watch-fp.ca/ponyb/gate.php
[donotclick]www.jatw.pacificsocial.com/VSMpZX.exe
[donotclick]richardsonlookoutcottages.nb.ca/Q5Vf.exe
[donotclick]idyno.com.au/kvdhx2.exe

The downloader then downloads a second part with a much lower detection rate of 6/46. This appears to be a Zbot variant, and the Malwr analysis for that component is here.

The Pony/Gate component is hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) and is a hijacked GoDaddy domain, one of several on that server and listed below in italics.

Recommended blocklist:
72.5.102.146
dennissellsgateway.com
justinreid.us
successchamp.com
thenatemiller.biz
thenatemiller.co
thenatemiller.info
thenatemiller.net
thenatemiller.org
watch-fp.biz
watch-fp.ca
watch-fp.com
watch-fp.info
watch-fp.mobi
waterwayrealtyteam.us

jatw.pacificsocial.com
richardsonlookoutcottages.nb.ca
idyno.com.au



No comments: