Sponsored by..

Monday 8 September 2014

RBS "Important Docs" spam doing the rounds again

The Royal Bank of Scotland has been spoofed several times recently, this latest fake spam contains a payload that looks like it might be Cryptowall.

Date:      Mon, 8 Sep 2014 15:00:22 +0100 [10:00:22 EDT]
From:      Vicente Mcneill [Vicente@rbs.co.uk]
Subject:      Important Docs

Please review attached documents regarding your account.

Tel:  01322 929655
Fax: 01322 499190
email: Vicente@rbs.co.uk

This information is classified as Confidential unless otherwise stated. 
Attached is an archive RBS_Account_Documents.zip containing a malicious executable RBS_Account_Documents.scr which has a detection rate at VirusTotal of 4/53. The ThreatTrack analysis [pdf] shows that it attempts to download components from the following locations:

95.141.37.158/0809uk1/NODE01/0/51-SP3/0/
95.141.37.158/0809uk1/NODE01/1/0/0/
95.141.37.158/0809uk1/NODE01/41/5/4/
bullethood.com/ProfilePics/0809uk1.zip

95.141.37.158 is SeFlow.it Internet Services, Italy. bullethood.com is on a shared server at GoDaddy. The malware also appears to be attempting to connect to 94.23.250.88 (OVH, France).

Recommended blocklist:
bullethood.com
95.141.37.158
94.23.250.88

No comments: