Sponsored by..

Monday, 13 January 2014

"Department of Treasury Notice of Outstanding Obligation" spam

This US Treasury spam (but apparently sent from salesforce.com) has a malicious attachment:

Date:      Mon, 13 Jan 2014 18:54:16 +0700 [06:54:16 EST]
From:      "support@salesforce.com" [support@salesforce.com]
Subject:      Department of Treasury Notice of Outstanding Obligation - Case H6SYVMK704BX4AL

Important  please review and sign the attached document!

We have received notification from the Department of the Treasury,
Financial Management Service (FMS) that you have an outstanding
obligation with the Federal Government that requires your immediate
attention.

In order to ensure this condition does not affect any planned
contract or grant activity, please review and sign the attached document and if
you are unable to understand the attached document please call FMS at 1-800-304-3107
to address this issue.  Please make sure the person making the telephone call has the
Taxpayer Identification Number available AND has the authority/knowledge
to discuss the debt for the contractor/grantee.

Questions should be directed to the Federal Service Desk at:

http://www.bpn.gov/ccr/Help.aspx
Phone : 1-866-606-5048
Int. Phone 1-344-206-5406 for international calls
For DSN, dial 809-463-3029. Wait for a dial tone, and then dial 866-606-5472. 
Attached is a file FMS-Case-H6SYVMK704BX4AL.zip (VirusTotal detection rate 7/47) which in turn contains a malicious executable FMS-Case-{_Case_DIG}.exe (detection rate also 7/47). The Malwr analysis shows an attempted connection to anggun.my.id on 38.99.253.234 (Cogent, US). This seems to be the only domain on that server, blocking either may be prudent.

No comments: