Sponsored by..

Monday, 4 August 2014

Bank of America "Important Documents" spam leads to Cryptowall

This fake BofA spam has a malicious payload:

Date:      Mon, 4 Aug 2014 19:57:07 +0800 [07:57:07 EDT]
From:      Andrea Talbot [Andrea.Talbot@bofa.com]
Subject:      RE: Important Documents

Please check attached documents regarding your Bofa account.

Andrea Talbot
Bank Of America
817-298-4679 office
817-180-2340 cell Andrea.Talbot@bofa.com

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached 
Attached to the message is an archive AccountDocuments.zip which in turn contains the malicious executable AccountDocuments.scr which has a VirusTotal detection rate of 6/54 and the comments indicate that this is a variant of Cryptowall. The Comodo CAMAS report shows that it phones home to the following URLs:

94.23.247.202/0408cnet28/SANDBOXB/0/51-SP2/0/
94.23.247.202/0408cnet28/SANDBOXB/1/0/0/
dirbeen.com/khalid53/cnet28.zip
ibuildchoppers.com/wp-content/gallery/choppers/cnet28.zip

Recommended blocklist:
94.23.247.202
dirbeen.com
ibuildchoppers.com

1 comment:

Justin said...

Just had a user open the attachment yesterday (Aug 04 2014). Same delivery method (fake BofA email). Very convincing email, though. Luckily, our network security equipment blocked the outgoing calls.