Sponsored by..

Tuesday 5 November 2013

"ACH Notification : ACH Process End of Day Report" spam / ACAS1104201336289204PARA7747.zip

This fake ACH (or is it Paychex?) email has a malicious attachment:

Date:      Tue, 5 Nov 2013 08:28:30 -0500 [08:28:30 EST]
From:      "Paychex, Inc" [paychexemail@paychex.com]
Subject:      ACH Notification : ACH Process End of Day Report

Attached is a summary of Origination activity for 11/04/2013 If you need assistance
please contact us via e-mail at paychexemail@paychex.com during regular business hours.

Thank you for your cooperation.  
Attached is a file ACAS1104201336289204PARA7747.zip which in turn contains an executable ACAS11042013.exe which has a VirusTotal detection rate of 7/46. Automated analysis [1] [2] shows an attempted connection to slowdating.ca on (Hosting Solutions International, US). There are several legitimate sites on this server, however it is possible that the server itself is compromised.

The malware drops several files, including this one with a detection rate of 4/46 that also calls home to the same domain [1] [2]  and a payload file with another low detection rate of 5/46 that rummages through the system [1] [2]. The payload appears to be a Zbot variant.

No comments: