Sponsored by..

Sunday, 16 February 2014

"Account Credited" / TTCOPY.jar spam

This spam email comes with a malicious .JAR attachment:

From:     Tariq Bashir muimran@giki.edu.pk
Reply-To:     Tariq Bashir [ta.ba@hot-shot.com]
Date:     15 February 2014 11:03
Subject:     Account Credited

Dear Sir,

I am sorry for my late response; our bank has credited 50% of Total amount on invoice to your bank account, the balance will be paid against BOL.

Find attached Bank TT  and update us on delivery schedule.

Regards,

Tariq Bashir
Remal Al Emarat Travel & Tourism L.L.C.
Al Muteena Street, Salsabeel Building, 103
P.O. Box 56260, Dubai, UAE
Tel: +971 4 271 54 06
Fax: +971 4 271 50 65
Mobile: +971 50 624 62 05
e-mail: ta.ba@hot-shot.com

The spam email originates from 121.52.146.226 (mail.giki.edu.pk) and comes with a malicious attachment TTCOPY.jar which is a Java application. This has a VirusTotal detection rate of 12/50 and the Malwr analysis reports an attempted connection to clintiny.no-ip.biz on 67.215.4.123 (GloboTech, Canada / MaXX Ltd, Germany).

Although this is an unusual threat, Java attacks are one of the  main ways that an attacker will gain access to your system. I strongly recommend deinstalling Java if you have it installed.

I can find two highly suspect IP blocks belonging to MaXX Ltd which I recommend blocking, along with the domains specified below:

67.215.4.64/28
67.215.4.120/29
u558801.nvpn.so
jagajaga.no-ip.org
jazibaba.no-ip.org
cyberx2013.no-ip.org
deltonfarmhouse.no-ip.biz
deltoncowstalls.no-ip.org
can2-pool-1194.nvpn.so
jazibaba1.no-ip.biz
ns2.rayaprodserver.com
kl0w.no-ip.org
jajajaja22.no-ip.org
mozillaproxy.zapto.org

No comments: