Sponsored by..

Tuesday, 20 January 2015

Malware spam: "Barclays - Important Update, read carefully!" / "Barclays Online Bank [security-update@barclays.com]"

This fake Barclays spam leads to malware.

From:    Barclays Online Bank [security-update@barclays.com]
Date:    20 January 2015 at 14:41
Subject:    Barclays - Important Update, read carefully!

Dear Customer,

Protecting the privacy of your online banking access and personal information are our primary concern.

During the last complains because of online fraud we were forced to upgrade our security measures.

We believe that Invention of security measures is the best way to beat online fraud.

Barclays Bank have employed some industrial leading models to start performing an extra security check with Your Online Banking Activities to ensure a safe and secure Online and Mobile Banking.

For security reasons we downloaded the Update Form to security Barclays webserver.

You are requested to follow the provided steps and Update Your Online Banking details, for the safety of Your Accounts.

- Please download and complete the form with the requested details:  http://fizza.ro/BARCLAYS~ONLINE.BANKING~UPDATE/update.html

- Fill in all required fields with your accurately details (otherwise will lead to service suspension)

Warning: If you choose to ignore our request, you leave us no choice but to temporary hold on your funds.

Thank you for your patience as we work together to protect your account.

Please update your records on or before 48 hours, a failure to update your records will result in a temporary hold on your funds.

Sincerely,

Barclays Online Bank Customer Service

We apologize for any inconvenience this may have caused.

(c) Copyright 2015 Barclays Bank Plc. All rights reserved.
The link in the email varies, some other examples seen are:
http://nrjchat.org/ONLINE~IMPORTANT-UPDATE/last-update.html
http://utokatalin.ro/ONLINE-BANKING_IMPORTANT/update.html
http://cab.gov.ph/ONLINE-IMPORTANT~UPDATE/last~update.html


Visiting these sites goes through some javascript hoops, and then leads to a ZIP file download which contains a malicious EXE that changes every time it is downloaded. The files are named in the general format update12345.zip and update54321.exe.

The file itself is an Upatre downloader, with poor detection rates [1] [2] [3].

The Malwr report shows traffic to the following URLs:
http://202.153.35.133:33384/2001uk11/HOME/0/51-SP3/0/
http://202.153.35.133:33384/2001uk11/HOME/1/0/0/
http://clicherfort.com/mandoc/eula012.pdf
http://202.153.35.133:33387/2001uk11/HOME/41/7/4/
http://essextwp.org/mandoc/ml1from1.tar

Out of these 202.153.35.133 (Excell Media Pvt Ltd, India) is one you should definitely block. This downloader drops several files including (in this case) %TEMP%\sJFcN24.exe which has a VirusTotal detection rate of just 3/57 and is identified as Dyreza.C by Norman anti-virus.

No comments: