Sponsored by..

Monday 13 October 2014

Malware spam: "You have received a new secure message from BankLine" / "You've received a new fax"

A couple of unimaginative spam emails leading to a malicious payload.

You have received a new secure message from BankLine

From:     Bankline [secure.message@bankline.com]
Date:     13 October 2014 12:48
Subject:     You have received a new secure message from BankLine

You have received a secure message.

Read your secure message by following the link bellow:

http://losislotes.com/dropbox/document.php

You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 7507.

First time users - will need to register after opening the attachment.
About Email Encryption - https://supportcentre.Bankline.com/app/answers/detail/a_id/1671/kw/secure%20message

You've received a new fax

From:     Fax [fax@victimdomain.com]
Date:     13 October 2014 13:07
Subject:     You've received a new fax

New fax at SCAN2166561 from EPSON by https://victimdomain.com
Scan date: Mon, 13 Oct 2014 20:07:31 +0800
Number of pages: 2
Resolution: 400x400 DPI

You can secure download your fax message at:

http://www.mezaya.ly/dropbox/document.php

(Dropbox Drive is a file hosting service operated by Google, Inc.)

Clicking the link downloads document_312_872_pdf.zip from the target site which in turn contains a malicious executable document_312_872_pdf.exe which has a VirusTotal detection rate of 3/54.

The Malwr analysis shows that the malware attempts to communicate with the following URLs:

http://94.75.233.13:40200/1310uk1/HOME/0/51-SP3/0/
http://94.75.233.13:40200/1310uk1/HOME/1/0/0/
http://94.75.233.13:40200/1310uk1/HOME/41/5/1/
http://carcomputer.co.uk/image/1310uk1.rtf
http://phyccess.com/Scripts/Pony.rtf
http://144.76.220.116/gate.php
http://hotelnuovo.com/css/heap_238_id2.rtf
http://wirelesssolutionsny.com/wp-content/themes/Wireless/js/heap_238_id2.rtf
http://isc-libya.com/js/Pony.rtf
http://85.25.152.238/

Also dropped are a couple of executables, egdil.exe (VT 2/54, Malwr report) and twoko.exe (VT 6/55, Malwr report).

Recommended blocklist:

94.75.233.13
144.76.220.116
85.25.152.238
carcomputer.co.uk
phyccess.com
hotelnuovo.com
wirelesssolutionsny.com
isc-libya.com


No comments: