Sponsored by..

Wednesday 28 October 2015

Malware spam: "Don and Carol Racine" / "www.boatclinic.net" / "boatclinic@aol.com"

This fake financial spam is not from Racine Design Inc but is instead a simple forgery with a malicious attachment:

From     [random]
Date     Wed, 28 Oct 2015 10:39:26 +0100
Subject     [random]

 Dear :
Boat has been done a week now. I contacted you last week
The
Boat is ready to pick up,  I have had inquiries as to people wanting to
buy it,
the carb is in your possession and there is no way to run it,
The boat could
sell real easy at this time of year , Memorial day to 4th of
July most boats
are sold.
Please call me to arrange payment and pickup of the Boat ,
If you
need me to store the boat I can do that at the storage facility ,
they do
charge a fee for this 7.00 per day
The other Invoice for the embroidery will
follow , Balance is due now !
Thanks

Your invoice is attached.  Please
remit payment

Thank you for your business - we appreciate it very
much.


Sincerely,
Don and Carol Racine

Racine Design, Inc.
2036 Imeson
Rd
Jacksonville, Fl.  32220

E-Mail  
boatclinic@aol.com

www.boatclinic.net

phone    (904) 771-8170
fax       
(904) 771-0843
The subject of the email is some randomly-generated sentence, which matches the name of the attached ZIP file. I have seen two samples so far with a detection rate of 3/55 and 2/55 respectively.

Analysis of the binary is pending (please check back), but the payload here is Upatre/Dyre which commonly calls back to 197.149.90.166 (Cobranet, Nigeria), an IP I strongly recommended that you block.

UPDATE:

The reverse.it report shows that the malware does indeed call back to that Nigerian IP address.

No comments: