From: frs-cms-mailer@olen.frb.orgThe attachment in the sample I saw was named CMS Collateral Report_20151027173233.doc which has a VirusTotal detection rate of 4/55. The comments in that report point to another VirusTotal report indicating that it drops Upatre.. but unusually, this code appears to have a valid Comodo certificate.
Date: 27 October 2015 at 17:32
Subject: ZFRSSE - CMS Collateral Report(s) as of 10/27/2015
You have received electronic delivery of the attached CMS Collateral Report(s) from the Federal Reserve System.
______________________________________________________________________
Note: This is an automated message and replies to this mailbox will not be answered. Questions concerning this message can be directed to your Federal Reserve Bank contact. This communication and all attachments hereto contain sensitive and confidential information. As a result, this communication has been encrypted in transit. This communication is intended solely for the use of the addressee and should be handled in accordance with applicable policies and procedures. If you have received this communication in error please delete or destroy all copies of it.
This message was secured in transit. ZFRSSE_20151027173233
-------------------------------------------------------------------------
This message was secured by ZixCorp(R).
This message center is strictly for use by current Federal Reserve System business partner and customer employees, any other use of this system is strictly prohibited.
In turn, this drops a version of the Dyre banking trojan with a detection rate of 5/56.
No comments:
Post a Comment