Sponsored by..

Wednesday 4 December 2013

"Department of Treasury Notice of Outstanding Obligation" spam / FMS-Case.exe

This spam says Salesforce.com at the top but the rest is allegedly from some US Government department or other (pay attention people!). Anyway, it has a malicious attachment.

Date:      Wed, 4 Dec 2013 08:24:02 -0500 [08:24:02 EST]
From:      "support@salesforce.com" [support@salesforce.com]
Subject:      Department of Treasury Notice of Outstanding Obligation - Case CWK8SSU4K6CN852

Important  please review and sign the attached document!

We have received notification from the Department of the Treasury,
Financial Management Service (FMS) that you have an outstanding
obligation with the Federal Government that requires your immediate
attention.

In order to ensure this condition does not affect any planned
contract or grant activity, please review and sign the attached document and if
you are unable to understand the attached document please call FMS at 1-800-304-3107
to address this issue.  Please make sure the person making the telephone call has the
Taxpayer Identification Number available AND has the authority/knowledge
to discuss the debt for the contractor/grantee.

Questions should be directed to the Federal Service Desk at:

http://www.bpn.gov/ccr/Help.aspx
Phone : 1-866-606-6762
Int. Phone 1-344-206-6275 for international calls
For DSN, dial 809-463-9774. Wait for a dial tone, and then dial 866-606-4580.
Attached is a file FMS-Case-CWK8SSU4K6CN852.zip which in turn contains a malicious executable FMS-Case.exe which has a VirusTotal detection rate of 7/49. Automated analysis tools [1] [2] show an attempted connection to worldofchamps.com on 198.1.78.171 (Websitewelcome, US) and a download from [donotclick]deshapran.com/img/deshp.exe on 182.18.143.140 (Pioneer eLabs, India). This second part has a VirusTotal detection rate of 6/47, although automated analysis tools are inconclusive. I recommend blocking both those domains.

No comments: