Sponsored by..

Tuesday 24 November 2015


This spam does not come from the Federal Reserve Bank, but is instead a simple forgery with a malicious attachment:

From     "FDIC, Federal Reserve Bank"
Date     Tue, 24 Nov 2015 15:14:19 +0200
Subject     IMPORTANT!


You are getting this letter in connection with new directive No. 172390635 issued
by U.S. Treasury Department, Federal Reserve and Federal Deposit Insurance Corporation
(FDIC). The directive concerns U.S. Federal Wire and ACH online payments.

We regret to inform you that from 11/24/2015 till 11/27/2015 definite restrictions
will be applied to all Federal Wire and ACH online transactions.

It's essential to know all the restrictions and the list of affected institutions.
The process of working with online transactions is mostly very tense, so it's possible
to overlook the applied restrictions, that may be very important for you.

More detailed information regarding the affected institutions and U.S. Treasury Department
restrictions is contained in the attached document.

Federal Reserve Bank System Administration

Alternative headers:
From    U.S. FRBank [admin@frb.com]
Date    24 November 2015 at 12:59
Subject    Attention!FED Wire and ACH Restrictions Applied!
From     FEDERAL RESERVE BANK [admin@usfrb.com]
Date     Tue, 24 Nov 2015 21:33:45 +0300
Subject     FED Wire and ACH Restrictions. IMPORTANT!

From     "USA FEDERAL RESERVE BANK" [security@frbservices.com]
Date     Tue, 24 Nov 2015 10:59:40 -0500
Subject     U.S. Treasury Department. FED Wire and ACH Restrictions Applied.

 Attached is an Excel file made up of part of the recipient's domain name plus a random number. So far I have seen two samples of this (VirusTotal [1] [2]) the latter of which is corrupt. The woirking one contains a macro that looks like this.

According to this Malwr report, the macro respectively POSTs and GETs from the following URLs:


Also, network communication is made with two other IPs, giving the following potentially malicious hosts: (First Colo / Fornex, Germany) (Masterhost, Russia) (Agava Ltd, Russia) (Beeline Broadband, Russia)

That .JPG file is actually an executable with a detection rate of 5/55. The Hybrid Analysis report shows all sorts of interesting things going on, but no clue as to what the purpose of the malware actually is. Those reports and this Malwr report shows some additional traffic: (e-Style ISP, Russia) (Volgatelecom, Russia)

According to this Malwr report it drops all sorts of files including _iscrypt.dll [VT 0/54] and 2.exe [VT 2/54] which is analysed in this Malwr report and this Hybrid Analysis report. It is unclear as to what it does (ransomware? remote access trojan?), but it appears that the installation may be password protected.


Recommended blocklist:


This Hybrid Analysis report shows various web pages popping up from the Excel spreadsheet, including MSN and Lidl. The purpose of this is unknown.

No comments: