The link in the email goes through a script to ensure that you are using a Windows PC and then downloads a file document3009.zip which contains a malicious executable document3009.scr which has a VirusTotal detection rate of 3/54. The Comodo CAMAS report and Anubis report are rather inconclusive.NatWest: "You have a new Secure Message"
From: NatWest [secure.message@natwest.com]
Date: 30 September 2014 09:58
Subject: You have a new Secure Message - file-3800
You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
Please download your ecnrypted message at:
http://binuli.ge/docs/document0679
(Google Disk Drive is a file hosting service operated by Google, Inc.)
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 6002.
"You've received a new fax"
From: Fax [fax@victimdomain.com]
Date: 30 September 2014 09:57
Subject: You've received a new fax
New fax at SCAN4148711 from EPSON by https://victimdomain.com
Scan date: Tue, 30 Sep 2014 14:27:24 +0530
Number of pages: 2
Resolution: 400x400 DPI
You can secure download your fax message at:
http://www.brianhomesinc.com/docs/document5928
(Google Disk Drive is a file hosting service operated by Google, Inc.)
UPDATE: the ThreatTrack report [pdf] shows that the malware attempts to communicate with the following locations:
188.165.198.52/3009uk1/NODE01/0/51-SP3/0/
188.165.198.52/3009uk1/NODE01/1/0/0/
188.165.198.52 is (unsurprisingly) allocated to OVH in France and is definitely worth blocking.
2 comments:
"Outdated Invoice" variant in the mix also here today.
@Jan, and an RBS "Important Documents" too.
Post a Comment