Sponsored by..

Friday, 23 May 2014

Fake NatWest email downloads malware via Dropbox

This fake NatWest email follows the same pattern as this one except that it is downloading malware via Dropbox rather than Bitly.

From:     NatWest.co.uk [noreply@natwest.co.uk]
Date:     23 May 2014 11:36
Subject:     NatWest Statement

 View Your May 2014 Online Financial Activity Statement


Keep track of your account with your latest Online Financial Activity Statement from NatWest Bank. It's available for you to view at this secure site. Just click to select how you would like to view your statement:


View/Download as a PDF

View all EStatements

So check out your statement right away, or at your earliest convenience.

Thank you for managing your account online.

Sincerely,

NatWest Bank


Please do not respond to this e-mail. If you have any questions about this inquiry message or your NatWest Bank account, please speak to a Customer Service representative at +44 121 635 1592


NatWest Bank Customer Service Department

P.O. Box 414 | 38 Strand, WC2N 5JB, London

Copyright 2014 NatWest Company. All rights reserved.

AGNEUOMS0006001

The link in the email goes to [donotclick]dl.dropboxusercontent.com/s/h8ee7pet8g3myfh/NatWest_Financial_Statement.zip?dl=1&token_hash=AAGNPq4-blG8MXToyYPu1l8lXEyrOQNz6EjK7rUBRaSHGg&expiry=1400838977 which downloads an archive file NatWest_Financial_Statement.zip which in turn contains the malicious executable NatWest_Financial_Statement.scr. This has a VirusTotal detection rate of just 3/52.

Automated analysis tools [1] [2] show that it downloads a component from [donotclick]accessdi.com/wp-content/uploads/2014/04/2305UKmw.zip

The Malwr analysis shows that it then downloads some additional EXE files:
 As is typical with the attack, the payload appears to be P2P/Gameover Zeus/Zbot.

2 comments:

SecuNetix said...

See also the Vitelity Inc scam/phishing by e-mail: worninghttps://plus.google.com/u/0/110378176844254224345/posts/Xb6WrRwhMLw
Thanks

SecuNetix said...

See also the Vitelity Inc scam/phishing by e-mail worning (https://plus.google.com/u/0/110378176844254224345/posts/Xb6WrRwhMLw).
Thanks.