Sponsored by..

Tuesday 27 October 2015

Malware spam: "ZFRSSE - CMS Collateral Report(s) as of 10/27/2015" / "frs-cms-mailer@olen.frb.org"

This fake financial email.. whatever the heck it is pretending to be.. is not from the Federal Reserve System, but is instead a simple forgery with a malicious attachment.

From:    frs-cms-mailer@olen.frb.org
Date:    27 October 2015 at 17:32
Subject:    ZFRSSE - CMS Collateral Report(s) as of 10/27/2015

You have received electronic delivery of the attached CMS Collateral Report(s) from the Federal Reserve System.

Note: This is an automated message and replies to this mailbox will not be answered.  Questions concerning this message can be directed to your Federal Reserve Bank contact.  This communication and all attachments hereto contain sensitive and confidential information.  As a result, this communication has been encrypted in transit.  This communication is intended solely for the use of the addressee and should be handled in accordance with applicable policies and procedures.  If you have received this communication in error please delete or destroy all copies of it.

This message was secured in transit.  ZFRSSE_20151027173233
This message was secured by ZixCorp(R).
This message center is strictly for use by current Federal Reserve System business partner and customer employees, any other use of this system is strictly prohibited.
The attachment in the sample I saw was named CMS Collateral Report_20151027173233.doc which has a VirusTotal detection rate of 4/55. The comments in that report point to another VirusTotal report indicating that it drops Upatre.. but unusually, this code appears to have a valid Comodo certificate.

In turn, this drops a version of the Dyre banking trojan with a detection rate of 5/56.

No comments: