Sponsored by..

Thursday 10 September 2015

Malware spam: "Payroll Received by Intuit" / "Intuit Payroll Services" [IntuitPayrollServices@payrollservices.intuit.com]

This fake payroll spam does not come from Intuit, but instead contains a malicious attachment:

From     "Intuit Payroll Services" [IntuitPayrollServices@payrollservices.intuit.com]
Date     Thu, 10 Sep 2015 06:32:37 -0500
Subject     Payroll Received by Intuit

Dear, petrol
We received your payroll on Sep 10, 2015 at 09:01.

Attached is a copy of your Remittance. Please click on the attachment in order to
view it.

Please note the deadlines and status instructions below:

If your payroll is received BEFORE 5 p.m., your Direct Deposit employees will be
paid two (2) banking days from the date received or on your paycheck date, whichever
is later. 

If your payroll is received AFTER 5 p.m., your employees will be paid three (3) banking
days from the date received or on your paycheck date, whichever is later. 

YOUR BANK ACCOUNT WILL BE DEBITED THE DAY BEFORE YOUR CHECKDATE.

Funds are typically withdrawn before normal banking hours so please make sure you
have sufficient funds available by 12 a.m. on the date funds are to be withdrawn.

Intuit must receive your payroll by 5 p.m., two banking days before your paycheck
date or your employees will not be paid on time. 

Intuit does not process payrolls on weekends or federal banking holidays. A list
of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Sincerely,

Intuit Payroll Services

IMPORTANT NOTICE: This notification is being sent to inform you of a critical matter
concerning your current service, software, or billing. Please note that if you previously
opted out of receiving marketing materials from Intuit, you may continue to receive
notifications similar to this communication that affect your service or software.

If you have any questions or comments about this email, please DO NOT REPLY to this
email. If you need additional information please contact us.

If you receive an email message that appears to come from Intuit but that you suspect
is a phishing email, please forward it to immediately to spoof@intuit.com.

© 2014 Intuit Inc. All rights reserved. Intuit and the Intuit Logo are registered
trademarks and/or registered service marks of Intuit Inc. in the United States and
other countries. All other marks are the property of their respective owners, should
be treated as such, and may be registered in various jurisdictions.

Intuit Inc. Customer Communications
2800 E. Commerce Center Place, Tucson, AZ 85706 
Attached is a file payroll_report.zip which in turn contains a malicious executable payroll_report.scr which has a VirusTotal detection rate of 3/56. The Hybrid Analysis report shows traffic patterns that are consistent with the Upatre downloader and Dyre banking trojan.

In particular, the malware contacts a familiar server at 197.149.90.166 (Cobranet, Nigeria) which you should definitely block traffic to.

MD5:
4dbdf9e73db481b001774b8b9b522ebe

No comments: