Sponsored by..

Friday, 13 September 2013

citizensbank.com "Issue File I3774 Processed" spam

For some reason I'm seeing a lot of these EXE-in-ZIP attacks recently. Here's another one with a malicious attachment:

Date:      Fri, 13 Sep 2013 11:09:53 -0500 [12:09:53 EDT]
From:      "GISPROD@citizensbank.com" [GISPROD@citizensbank.com]
Subject:      Issue File I3774 Processed

Regarding Issue File 3774 - Total Issue Items # 36 Total Issue Amount $42,171.75 This
will confirm that your issue file has been processed. Please verify the information in
attached report; if you find there are discrepancies in what you believe your totals
should be and what we have reported, please contact the Reconciliation Department at
1-888-333-2909 Option # 3 between the hours of 8:00am and 4:00pm ET not later than 24
hours after you receive this notice. *** Please note, this message was created on the RBS
FileGateway system ***

-----------------------------------------
Use of email is inherently insecure. Confidential information,
including account information, and personally identifiable
information, should not be transmitted via email, or email
attachment. In no event shall Citizens or any of its affiliates
accept any responsibility for the loss, use or misuse of any
information including confidential information, which is sent to
Citizens or its affiliates via email, or email attachment. Citizens
does not guarantee the accuracy of any email or email attachment,
that an email will be received by Citizens or that Citizens will
respond to any email. This email message is confidential and/or privileged. It is to be
used by the intended recipient only. Use of the information
contained in this email by anyone other than the intended recipient
is strictly prohibited. If you have received this message in error,
please notify the sender immediately and promptly destroy any
record of this email.
There is a malicious attachment called issue_report_I3774.zip which in turn contains an executable file issue_report_I6576543219672.exe which has a detection rate of 12/47 at VirusTotal. Automated analysis [1] [2] [3] shows some of the mechanics of the malware, including network communications with wptutes.com on 74.221.210.124 (DME Hosting LLC, US).

Recent experience with this type of attack shows that when one domain on a sever is compromised, then they all are. If you want to block everything then the following domains appear to be on that server:

2ndry.com
bar-stool.info
electric-wheelchair.info
freeb4u.com
gov-l.net
hot-buys.org
hot-water.org
iconsumers.org
leather-handbags.info
storage-cabinets.info
thesafeconsumer.com
wptutes.com

No comments: