From "FDIC, Federal Reserve Bank"
Date Tue, 24 Nov 2015 15:14:19 +0200
Subject IMPORTANT!
FEDERAL RESERVE BANK
Important:
You are getting this letter in connection with new directive No. 172390635 issued
by U.S. Treasury Department, Federal Reserve and Federal Deposit Insurance Corporation
(FDIC). The directive concerns U.S. Federal Wire and ACH online payments.
We regret to inform you that from 11/24/2015 till 11/27/2015 definite restrictions
will be applied to all Federal Wire and ACH online transactions.
It's essential to know all the restrictions and the list of affected institutions.
The process of working with online transactions is mostly very tense, so it's possible
to overlook the applied restrictions, that may be very important for you.
More detailed information regarding the affected institutions and U.S. Treasury Department
restrictions is contained in the attached document.
Federal Reserve Bank System Administration
Alternative headers:
From U.S. FRBank [admin@frb.com]
Date 24 November 2015 at 12:59
Subject Attention!FED Wire and ACH Restrictions Applied!
From FEDERAL RESERVE BANK [admin@usfrb.com]
Date Tue, 24 Nov 2015 21:33:45 +0300
Subject FED Wire and ACH Restrictions. IMPORTANT!
From "USA FEDERAL RESERVE BANK" [security@frbservices.com]
Date Tue, 24 Nov 2015 10:59:40 -0500
Subject U.S. Treasury Department. FED Wire and ACH Restrictions Applied.
Attached is an Excel file made up of part of the recipient's domain name plus a random number. So far I have seen two samples of this (VirusTotal [1] [2]) the latter of which is corrupt. The woirking one contains a macro that looks like this.
According to this Malwr report, the macro respectively POSTs and GETs from the following URLs:
rmansys.ru/utils/inet_id_notify.php
s01.yapfiles.ru/files/1323961/435323.jpg
Also, network communication is made with two other IPs, giving the following potentially malicious hosts:
185.26.97.120 (First Colo / Fornex, Germany)
90.156.241.111 (Masterhost, Russia)
89.108.101.61 (Agava Ltd, Russia)
95.27.132.170 (Beeline Broadband, Russia)
That .JPG file is actually an executable with a detection rate of 5/55. The Hybrid Analysis report shows all sorts of interesting things going on, but no clue as to what the purpose of the malware actually is. Those reports and this Malwr report shows some additional traffic:
217.197.126.52 (e-Style ISP, Russia)
88.147.168.112 (Volgatelecom, Russia)
According to this Malwr report it drops all sorts of files including _iscrypt.dll [VT 0/54] and 2.exe [VT 2/54] which is analysed in this Malwr report and this Hybrid Analysis report. It is unclear as to what it does (ransomware? remote access trojan?), but it appears that the installation may be password protected.
MD5s:
dfe5c17d74d5827df48395561ff2df58
132e53dcc20c8c2ebbec669d2764c182
832d9cc537e52e220a58a0f47069a315
Recommended blocklist:
185.26.97.120
90.156.241.111
89.108.101.61
95.27.132.170
217.197.126.52
88.147.168.112
217.19.105.3
UPDATE
This Hybrid Analysis report shows various web pages popping up from the Excel spreadsheet, including MSN and Lidl. The purpose of this is unknown.