Sponsored by..

Wednesday 11 June 2014

Fake RBS spam spreads malware via Cubby.com

This fake bank spam downloads malware from file sharing site cubby.com:

From:     Sammie Aaron [Sammie@rbs.com]
Date:     11 June 2014 12:20
Subject:     Important Docs

Please review attached documents regarding your account.

To view/download your documents please click here

Tel:  01322 215660
Fax: 01322 796957
email: Sammie@rbs.com

This information is classified as Confidential unless otherwise stated. 

The download location is [donotclick]www.cubby.com/pl/Document-772976_829712.zip/_e97c36c260ed454d8962503b18e37e86 which downloads a file Document-772976_829712.zip which in turn contains a malicious executable Document-772976_829712.scr which has VirusTotal detection rate of just 1/54.

Automated analysis tools [1] [2] [3] [4] show that it creates a file with the disincentive name googleupdaterr.exe and attempts to communicate with the following IPs:
85.25.148.6 (Intergenia AG, Germany)
192.99.6.61 (OVH, Canada)
217.12.207.151 (ITL Company, Ukraine)

(Plain list)
85.25.148.6
192.99.6.61
217.12.207.151

1 comment:

Steve Basford said...

Sanesecurity signatures for ClamAV are blocking these (www.sanesecurity.com)

Cheers,

Steve