Sponsored by..

Wednesday, 23 September 2015

Malware spam: "Bankline ROI - Password Re-activation Form" / "secure.message@rbs.co.uk"

This fake banking spam does not come from RBS, but is instead a simple forgery with a malicious attachment:

From     "RBS" [secure.message@rbs.co.uk]
Date     Wed, 23 Sep 2015 11:28:48 GMT
Subject     Bankline ROI - Password Re-activation Form

Please find the Re-activation form attached, send one per user ensuring only one
box is selected in section 3.  A signatory on the bank mandate must sign the form.

Fax to 1850 826978 or alternatively you may wish to email the completed document,
by attaching it to an email and sendinsg it to banklineadministration@rbs.co.uk

On receipt of the completed form we will respond to the request within 2 working
hours and communicate this to the user by email.

<>

Please note - The life-span of an activation code is 21 days; after this time, the
activation code will expire and a new one must be ordered. 

Please be aware when choosing a new pin and password for the service, it is important
not to use pin/passwords that you have used before but to use completely different
details.

If you are the sole Standard Administrator may I take this opportunity to suggest
when you are reinstated on the system, to set up another User in a Standard Administrator
role. This will prevent you being locked out completely and allow you to order a
new activation code from within the system and reset your security sooner.

If you require any further assistance then please do not hesitate to contact us on
1850 310269 and one of our associates will be happy to assist you.

Regards
Bankline Product Support

This e-mail message is confidential and for use by the intended recipient only. If
the message is received by anyone other than the intended recipient, please return
the message to the sender by replying to it and then delete the message from your
computer. Internet e-mails are not necessarily secure. Ulster Bank Limited and Ulster
Bank Ireland Limited (\"Bankline Bank Group\")/ Royal Bank of Scotland Group plc
does not accept responsibility for changes made to this message after it was sent.
Ulster Bank Group / Royal Bank of Scotland Group plc may monitor e-mails for business
and operational purposes. By replying to this message you give your consent to our
monitoring of your email communications with us. Whilst all reasonable care has been
taken to avoid the transmission of viruses, it is the responsibility of the recipient
to ensure that the onward transmission, opening or use of this message and any attachments
will not adversely affect its systems or data. No responsibility is accepted by any
member of Ulster Bank Group / Royal Bank of Scotland Group plc in this regard and
the recipient should carry out such virus and other checks as it considers appropriate.

In the sample I saw, the attached file was Bankline_Password_reset_3537684.zip containing a malicious exeucutable Bankline_Password_reset_8569474.scr which has a VirusTotal detection rate of 2/56. The Hybrid Analysis report shows behaviour consistent with Upatre / Dyre and shows that the malware communicates with a known bad IP of 197.149.90.166 (Cobranet, Nigeria) which I definitely recommend blocking or monitoring.

No comments: