"You've received a new fax"
From: Fax [fax@victimdomain.com]
Date: 10 October 2014 11:34
Subject: You've received a new fax
New fax at SCAN7097324 from EPSON by https://victimdomain.com
Scan date: Fri, 10 Oct 2014 18:34:56 +0800
Number of pages: 2
Resolution: 400x400 DPI
You can secure download your fax message at:
http://www.eialtd.com/kk/document.php
(Google Disk Drive is a file hosting service operated by Google, Inc.)
"You have received a new secure message from BankLine"
From: Bankline [secure.message@bankline.com]
Date: 10 October 2014 10:29
Subject: You have received a new secure message from BankLine
You have received a secure message.
Read your secure message by following the link bellow:
http://www.electromagneticsystems.com/kk/document.php
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 3297.
First time users - will need to register after opening the attachment.
About Email Encryption - https://supportcentre.Bankline.com/app/answers/detail/a_id/1671/kw/secure%20message
The malware downloads a file document_73128_91898_pdf.zip from the target site that contains a malicious executable document_73128_91898_pdf.exe which has a VirusTotal detection rate of 4/54.
According to the ThreatExpert report [pdf] the malware communicates with the following URLs which are probably worth blocking or monitoring:
94.75.233.13/1010uk1/NODE01/41/5/1/
94.75.233.13/private/sandbox_status.php
94.75.233.13/1010uk1/NODE01/0/51-SP3/0/
94.75.233.13/1010uk1/NODE01/1/0/0/
beanztech.com/beanz/1010uk1.rtf
No comments:
Post a Comment