Sponsored by..

Wednesday 13 November 2013

The EXE-in-ZIP spam storm continues

Two more EXE-in-ZIP spams.. the first is a terse one with a subject "Voice Message from Unknown Caller" or "Voicemail Message from unknown number" not much else with a malicious EXE-in-ZIP (VoiceMessage.zip) attachment with VirusTotal score of 7/46 which calls home [1] [2] [3] to amandas-designs.com on 80.179.141.8 (012 Smile Communications Ltd., Israel)

The second one is a fake Wells Fargo spam similar to this:

We have received this documents from your bank, please review attached documents.

Lela Orozco
Wells Fargo Advisors
817-232-5887 office
817-067-3871 cell Lela.Orozco@wellsfargo.com

Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE

Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.  
In this case the EXE-in-ZIP attachment (BankDocs.zip) has a VirusTotal detection rate of 14/47 and calls home [4] [5] [6]  to kidgrandy.com on 184.154.15.190 (Singlehop, US).

Given the massive onslaught of EXE-in-ZIP spam, I would strongly recommend blocking ZIP files with executables in them at the perimeter.

No comments: