Sponsored by..

Wednesday 15 February 2017

Malware spam: "RBC - Secure Message" / service@rbc-secure-message.com

This fake banking email leads to some sort of malware:



From:    RBC - Royal Bank [service@rbc-secure-message.com]
Date:    15 February 2017 at 17:50
Subject:    RBC - Secure Message
Signed by:    rbc-secure-message.com


Secure Message Secure Icon
This is an automated message send by Royal Bank Secure Messaging Server. To ensure both you and the RBC Royal Bank comply with current legislation, this message has been encrypted. Please check attached documents for more information.

Note: You should not store confidential information unless it is encrypted.
CONFIDENTIALITY NOTICE:The contents of this email message and any attachments are intended solely for the addressee(s)and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.


RBCSecureMessage.doc
44K



Attached is a file RBCSecureMessage.doc which contains some sort of macro-based malware. It displays the following page to entice victims to disable their security settings.



Automated analysis is inconclusive [1] [2].  The domain rbc-secure-message.com is fake and has been registered solely for this purpose of malware distribution. In all the samples I saw, the sending IP was 64.91.248.146 (Liquidweb, US) but it does look like all these IPs in the neighbourhood are involved in the same activity:

64.91.248.137
64.91.248.146
64.91.248.148
64.91.248.150

I recommend you block 64.91.248.128/27 at your email gateway to be sure.





No comments: