Sponsored by..

Showing posts with label Cloudflare. Show all posts
Showing posts with label Cloudflare. Show all posts

Thursday 10 May 2018

Malware spam: "New documents available for download" / service@barclaysdownloads.co.uk / barclaysdownloads.com

This fake Barclays spam seems to lead to the Trickbot banking trojan.

From:    Barclays [service@barclaysdownloads.co.uk]
Date:    10 May 2018, 13:16
Subject:    New documents available for download
Signed by:    barclaysdownloads.co.uk
Security:    Standard encryption (TLS) Learn more

Barclays Bank PLC Has Sent You Important Account Documents to Sign

You can view the document in your Barclays Cloud account. For additional security, the sender has set an open password for this document.

Documents assigned to: jlines@[redacted]
Your unique download password: "CJ98oZOwye"

To view or download the document please click here.

The submission number is id: bc7729-272sec912-91navc.
Please quote this number in any communications with Barclays.

Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.

Email Security Powered by Barclays IBE.

Copyright 2018 Barclays PLC. All rights reserved. 

The download password and submission number are the same in all cases I have seen. Clicking the link leads to a landing page at barclaysdownloads.com.

Entering the password downloads a document AccountDocuments.doc with a VirusTotal detection rate of 14/58, and Hybrid Analysis indicates that this uses an Equation Editor flaw to run a Powershell that downloads an additional component from:


The .bin file is saved as %TEMP%\lovemete.exe and this currently has a detection rate of 15/65. Hybrid Analysis indicates this is Trickbot.

barclaysdownloads.co.uk and barclaysdownloads.com have both been registered for this purpose, the latter of which is hosted at Cloudflare.

Thursday 12 February 2015

"invoice :reminder" spam leads to CVE-2012-0158 exploit

This spam has a malicious attachment:

From:    Hajime Daichi
Date:    12 February 2015 at 15:59
Subject:    invoice :reminder


Please find attached invoice copy for a transfer of USD29,900.00 payed to
your company account yesterday.

You can save, view and print this SWIFT message at your convenience.

Please email should you require any additional information on this
We thank you for your continued patronage.

Corp. Office / Showroom:
# 8-2-293/82/A/706/1,
Road No. 36, Jubilee Hills,
HYDERABAD - 500 033.
Tel: +91 40 2355 4474 / 77
Fax:+91 40 2355 4466
E-mail: info@valueline.in

Attached is a file INVOICE.doc which is actually not a DOC at all, but an RTF file. A scan of the file at VirusTotal indicates that is is malicious, with a detection rate of 6/57. Those detection indicate that this is exploitng CVE-2012-0158 aka MS12-027, a security flaw patched almost three years ago. So if you keep your patches up-to-date, there's a good chance you will be OK. But if you are running an ancient version of Microsoft Office (for example Office 2000, 2002 or XP) then you could be in trouble.

The Malwr report for this is quite enlightening, showing the malware downloading another document from directxex.net/7783ed117ba0d69e/wisdomjacobs.exe. This has a detection rate of 14/57 and the Malwr report for this indicates that among other things it installs a keylogger, confirmed by the ThreatExpert report.

The domain directxex.net [Googe Safebrowsing] has an unsavoury reputation, and although it is currently hiding behind a Cloudflare IP, it actually appears to be hosted on an OVH France IP of I definitely recommend that you block traffic to directxex.net.