Sponsored by..

Friday 6 March 2015

Malware spam: "You have received a new secure message from BankLine" / "Bankline [secure.message@business.natwest.com]"

This fake banking spam leads to malware.

From:    Bankline [secure.message@business.natwest.com]
Date:    6 March 2015 at 10:36
Subject:    You have received a new secure message from BankLine

You have received a secure message.

Your Documents have been uploaded to Cubby cloud storage.
Cubby cloud storage  is a cloud data service powered by LogMeIn, Inc.

Read your secure message by following the link bellow:

https://www.cubbyusercontent.com/pl/Business%20Secure%20Message.zip/_90ad04a3965340b195b8be98c6a6ae37


----------------
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 8719.

First time users - will need to register after opening the attachment.
About Email Encryption - https://help.business.natwest.com/support/app/answers/detail/a_id/1671/kw/secure%20message 
This downloads a ZIP file from cubbyusercontent.com which contains a malicious executable Business Secure Message.exe which has a VirusTotal detection rate of just 1/57.

Automated analysis tools [1] [2] [3] [4] show attempted connections to the following URLs:

http://all-about-weightloss.org/wp-includes/images/vikun.png
http://bestcoveragefoundation.com/wp-includes/images/vikun.png
http://190.111.9.129:14248/0603no11/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http://190.111.9.129:14249/0603no11/HOME/41/7/4/


It also appears that there is an attempted connection to 212.56.214.203.

Of all of these IPs, 190.111.9.129 (Navega.com, Guatemala) is the most critical to block. It is also a characteristic of this malware (Upatre/Dyre) that it connects to checkip.dyndns.org to work out the IP address of the infected machine, it is worth checking for traffic to this domain.

The Malwr report shows several dropped files, including fyuTTs27.exe which has a VirusTotal detection rate of 4/57.


No comments: