Sponsored by..

Friday 8 August 2014

RBS "RE: Incident IM03393549" spam

This fake RBS spam has a malicious attachment:

Date:      Thu, 24 Jul 2014 09:33:37 GMT [07/24/14 05:33:37 EDT]
From:      Annie Wallace[Annie.Wallace@rbs.co.uk]
Subject:      RE: Incident IM03393549

Good Afternoon ,

Attached are more details regarding your account incident. Please extract the attached
content and check the details.

Please be advised we have raised this as a high priority incident and will endeavour to
resolve it as soon as possible. The incident reference for this is IM03393549.

We would let you know once this issue has been resolved, but with any further questions
or issues, please let me know.

Kind Regards,

Annie Wallace Level 2 Adviser | Customer Experience Team, IB Service & Operations 7th
Floor, 1 Hardman Boulevard | Manchester | M3 3AQ | Depot code: 049
Tel: 0845 300 4108 |Email: Annie.Wallace@rbs.co.uk The content of this e-mail is
CONFIDENTIAL unless stated otherwise 
The attachment is IM03393549.zip containing a malicious executable IM008082014.scr which has a VirusTotal detection rate of 15/42. The CAMAS report shows that the malware connects to the following locations to download additional components:

94.23.247.202/n0808uk/SANDBOXA/0/51-SP2/0/
94.23.247.202/n0808uk/SANDBOXA/1/0/0/
quesoslaespecialdechia.com/Scripts/n0808uk.zip
energysavingproductsinfo.com/wp-content/uploads/2014/08/n0808uk.zip

The exact nature of the malware is not known, but it is most likely a banking Trojan or Cryptowall.

Recommended blocklist:
94.23.247.202
quesoslaespecialdechia.com
energysavingproductsinfo.com

No comments: