Sponsored by..

Tuesday 1 April 2014

rbs.com "RE: Copy" spam

This very terse spam has a malicious attachment:

Date:      1 Apr 2014 14:25:39 GMT [10:25:39 EDT]
From:      Kathryn Daley [Kathryn.Daley@rbs.com]
Subject:      RE: Copy

(Copy-01042014) 
The attachment is Copy-04012014.zip which in turn contains a malicious executable Copy-04012014.scr which has a VirusTotal detection rate of just 3/50.

The Malwr analysis shows that is has the characteristics of P2P/Gameover Zeus and it makes several network connections starting with a download of a configuration file from: [donotclick]photovolt.ro/script/0104UKd.bis

The malware then tries to contact a number of other domains. I recommend using the following blocklist:
50.116.4.71
photovolt.ro
aulbbiwslxpvvphxnjij.biz
wcdmfdujnfmsdbatgqguxkkr.com    
kjcuyddisgrmzfqfirwjzqglqdq.ru    
gavwnvhaknbytkvcojeifeyhcizxof.biz    
ysnvydeyswzjbxsofchsctsg.net    
cprhxsjukhuemfqrsdqhvo.org    
zdlaupvpfmwotcxcxfedrwfq.info    
ovxwwgvoupfuxhuibqwkwcjzqci.com    
knpfmvdpbljfgecidpfyovjzpz.ru    
xkzqwhyaixguhqrwskbqqcpz.com






No comments: