Sponsored by..

Thursday 16 October 2014

Barclays Bank "Transaction not complete" spam

This fake Barclays spam leads to malware.

From:     Barclays Bank [Barclays@email.barclays.co.uk]
Date:     16 October 2014 12:48
Subject:     Transaction not complete

Unable to complete your most recent Transaction.

Currently your transaction has a pending status. If the transaction was made by mistake please contact our customer service.


For more details please download payment receipt below:

http://essecisoftware.it/docs/viewdoc.php


Barclays is a trading name of Barclays Bank PLC and its subsidiaries. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register
No. 122702). Registered in England. Registered Number is 1026167 with registered
office at 1 Churchill Place, London E14 5HP.

Clicking on the link downloads a file document23_pdf.zip containing a malicious executable document23_pdf.scr which has a VirusTotal detection rate of  4/54. The Malwr report shows that it reaches out to the following URLs:

http://188.165.214.6:12302/1610uk1/HOME/0/51-SP3/0/
http://188.165.214.6:12302/1610uk1/HOME/1/0/0/
http://188.165.214.6:12302/1610uk1/HOME/41/5/1/
http://jwoffroad.co.uk/img/t/1610uk1.osa


In my opinion 188.165.214.6 (OVH, France) is an excellent candidate to block or monitor.

It also drops two executables, bxqyy.exe (VT 5/54, Malwr report) and ldplh.exe (VT 1/51, Malwr report)
.


No comments: