Sponsored by..

Wednesday 25 June 2014

RBS "Outstanding invoice" spam leads to malicious ZIP file

This fake RBS spam leads to malware:

From:     Bankline.Administrator@rbs.co.uk [Bankline.Administrator@rbs.co.uk]
Date:     25 June 2014 15:25
Subject:     Outstanding invoice

Dear [redacted],

Please download on the link below from dropbox copy invoice which is showing as unpaid on our ledger.

http://figarofinefood.com/share/document-128_712.zip

I would be grateful if you could look into this matter and advise on an expected payment date .

Many thanks

Max Francis

Credit Control

Tel: 0845 300 2952
The link isn't a Dropbox link at all, but it downloads an archive file from [donotclick]figarofinefood.com/share/document-128_712.zip which contains the malicious executable document-128_712.scr which has a VirusTotal detection rate of 4/54.

Automated analysis tools [1] [2] [3] show that it attempts to phone home to babyslutsnil.com on 199.127.225.232 (Tocici LLC, US). That domain was registered a few days ago with the following (possibly fake) details:

Registrar Registration Expiration Date: 2015-06-12
Registrar: Domain names registrar REG.RU LLC
Registrar IANA ID: 1606
Registrar Abuse Contact Email: abuse@reg.ru
Registrar Abuse Contact Phone: +7.4955801111
Registry Registrant ID:
Registrant Name: Viktor Ponomarev
Registrant Organization: Private Person
Registrant Street: veselaia d 81 kv 818
Registrant City: Moscow
Registrant State/Province: Moscow
Registrant Postal Code: 156737
Registrant Country: RU
Registrant Phone: +79267463723
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: tiosombovisi1987@mail.ru
Registry Admin ID:


No comments: