Sponsored by..

Tuesday 30 September 2014

Malware spam: NatWest "You have a new Secure Message" / "You've received a new fax"

The daily mixed spam run has just started again, these two samples seen so far this morning:

NatWest: "You have a new Secure Message"

From:     NatWest [secure.message@natwest.com]
Date:     30 September 2014 09:58
Subject:     You have a new Secure Message - file-3800

You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )


Please download your ecnrypted message at:

http://binuli.ge/docs/document0679

(Google Disk Drive is a file hosting service operated by Google, Inc.)


If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 6002.

"You've received a new fax"

From:     Fax [fax@victimdomain.com]
Date:     30 September 2014 09:57
Subject:     You've received a new fax

New fax at SCAN4148711 from EPSON by https://victimdomain.com
Scan date: Tue, 30 Sep 2014 14:27:24 +0530
Number of pages: 2
Resolution: 400x400 DPI

You can secure download your fax message at:

http://www.brianhomesinc.com/docs/document5928

(Google Disk Drive is a file hosting service operated by Google, Inc.)
The link in the email goes through a script to ensure that you are using a Windows PC and then downloads a file document3009.zip which contains a malicious executable document3009.scr which has a VirusTotal detection rate of 3/54. The Comodo CAMAS report  and Anubis report are rather inconclusive.

UPDATE: the ThreatTrack report [pdf] shows that the malware attempts to communicate with the following locations:

188.165.198.52/3009uk1/NODE01/0/51-SP3/0/
188.165.198.52/3009uk1/NODE01/1/0/0/

188.165.198.52 is (unsurprisingly) allocated to OVH in France and is definitely worth blocking.



2 comments:

Jan said...

"Outdated Invoice" variant in the mix also here today.


Conrad Longmore said...

@Jan, and an RBS "Important Documents" too.