Sponsored by..

Wednesday 4 November 2015

Malware spam: "Email from Transport for London" / noresponse@cclondon.com

This fake Transport for London spam is a variation of something used before. It does not actually come from TfL, but is a simple forgery with a malicious attachment:

From     "Transport for London" [noresponse@cclondon.com]
Date     Wed, 4 Nov 2015 14:33:44 +0100
Subject     Email from Transport for London

Dear Customer

Please open the attached file to view correspondence from Transport for London.

If the attachment is in PDF format you may need Adobe Acrobat Reader to read or download
this attachment. If you require Adobe Acrobat Reader this is available at no cost
from the Adobe Website www.adobe.com

Thank you for contacting Transport for London.

Business Operations
Customer Service Representative

This email has been scanned by the Symantec Email Security.cloud service.

This email and any attachment are intended solely for the addressee, are strictly
confidential and may be legally privileged. If you are not the intended recipient
any reading, dissemination, copying or any other use or reliance is prohibited. If
you have received this email in error please notify the sender immediately by email
and then permanently delete the email.

Attached is a file 6305093.zip of which I have seen just one sample, containing a malicious executable 6305093.scr (MD5 6a4cce90ba28720fa9e6813f681b1f75) which has a VirusTotal detection rate of 7/54. This Hybrid Analysis report shows it communicating with the well-known malicious IP address of (Cobranet, Nigeria) which I recommend you block.

The payload here seems to be Upatre dropping the Dyre banking trojan.

No comments: