Sponsored by..

Friday, 6 September 2013

"Scanned Document Attached" spam / FSEMC.06092013.exe

This fake financial spam contains an encrypted attachment with a malicious file in it.

Date:      Fri, 6 Sep 2013 15:19:37 +0000 [11:19:37 EDT]
From:      Fiserv [Lawanda_Underwood@fiserv.com]
Subject:      FW: Scanned Document Attached

Dear Business Associate:

Protecting the privacy and security of client, company, and employee
information is one of our highest priorities. That is why Fiserv has
introduced the Fiserv Secure E-mail Message Center - a protected e-mail
environment designed to keep sensitive and confidential information
safe. In this new environment, Fiserv will be able to send e-mail
messages that you retrieve on a secured encrypted file.

You have an important message from Adam_Paul@fiserv.com.
To see your message, use the following password to decrypt attached file: JkSIbsJPPai

If this is your first time receiving a secure file from the
Fiserv Secure E-mail Message Center, you will be prompted to set up a
user name and password.

This message will be available until  Saturday Sep 07, 2013 at 17:50:42
EDT4

If you have any questions, please contact your Fiserv representative.

Sincerely,
Your Associates at Fiserv

Additional information about Fiserv Secure E-mail is available by
entering http://www.fiserv.com/secureemail/ into your Web browser and
pressing Enter.


The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.
Attached is an encrypted ZIP file which contains part of the victim's email address (or somebody else in the same domain) that has to be decrypted with the password JkSIbsJPPai. This in turn contains a malicious executable FSEMC.06092013.exe (note the date is encoded into the filename). The VirusTotal detection rate for this malware is only 6/47.

The malware then phones home to a site ce-cloud.com:443 hosted on 84.22.177.37 (ioMart, UK) and then uploads some data [1] [2] [3] [4] . What happens next is unclear, but you can guarantee that it is nothing good.

Blocking access to ce-cloud.com or 84.22.177.37 may provide some protection. Blocking EXE-in-ZIP files is an even more effective approach if you can do it.

No comments: