Date: Wed, 19 Mar 2014 15:14:02 +0100 [10:14:02 EDT]Attached to the message is an archive file SecureMessage.zip which in turn contains a malicious executable SecureMessage.scr which has a VirusTotal detection rate of 8/51.
From: NatWest [secure.message@natwest.co.uk]
Subject: You have received a secure message
You have received a secure message
Read your secure message by opening the attachment, SecureMessage.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 4226.
First time users - will need to register after opening the attachment.
About Email Encryption - http://www.natwest.com/content/global_options/terms/Email_Encryption.pdf
Automated analysis tools [1] [2] [3] show attempted downloads from the following domains, both hosted on servers that appear to be completely compromised and should be blocked.
199.193.115.111 (NOC4Hosts, US)
droidroots.com
development.pboxhost.com
184.107.149.74 (iWeb, Canada)
2m-it.com
3houd.com
50.116.4.71 (Linode, US)
aulbbiwslxpvvphxnjij.biz
pwoovaijfrsryxeqtgojbuvsvsovkj.com
ugfmnjojpinembyyprkoptjbtij.info
nrhpfongapozhpfwkprxohofhq.biz
byeqdaufqeujvugwczrocihqb.net
geugypibqsfqirsogeovqwovvgqsfucm.com
nvyxbmdfiguizcexgluoyxkjsw.ru
xcvshidqgwotvfetvcydfajnof.com
Recommended blocklist:
199.193.115.111
184.107.149.74
50.116.4.71
droidroots.com
development.pboxhost.com
2m-it.com
3houd.com
aulbbiwslxpvvphxnjij.biz
pwoovaijfrsryxeqtgojbuvsvsovkj.com
ugfmnjojpinembyyprkoptjbtij.info
nrhpfongapozhpfwkprxohofhq.biz
byeqdaufqeujvugwczrocihqb.net
geugypibqsfqirsogeovqwovvgqsfucm.com
nvyxbmdfiguizcexgluoyxkjsw.ru
xcvshidqgwotvfetvcydfajnof.com
No comments:
Post a Comment