You have received a new secure message from BankLine
From: Bankline [secure.message@bankline.com]
Date: 13 October 2014 12:48
Subject: You have received a new secure message from BankLine
You have received a secure message.
Read your secure message by following the link bellow:
http://losislotes.com/dropbox/document.php
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 7507.
First time users - will need to register after opening the attachment.
About Email Encryption - https://supportcentre.Bankline.com/app/answers/detail/a_id/1671/kw/secure%20message
You've received a new fax
From: Fax [fax@victimdomain.com]
Date: 13 October 2014 13:07
Subject: You've received a new fax
New fax at SCAN2166561 from EPSON by https://victimdomain.com
Scan date: Mon, 13 Oct 2014 20:07:31 +0800
Number of pages: 2
Resolution: 400x400 DPI
You can secure download your fax message at:
http://www.mezaya.ly/dropbox/document.php
(Dropbox Drive is a file hosting service operated by Google, Inc.)
Clicking the link downloads document_312_872_pdf.zip from the target site which in turn contains a malicious executable document_312_872_pdf.exe which has a VirusTotal detection rate of 3/54.
The Malwr analysis shows that the malware attempts to communicate with the following URLs:
http://94.75.233.13:40200/1310uk1/HOME/0/51-SP3/0/
http://94.75.233.13:40200/1310uk1/HOME/1/0/0/
http://94.75.233.13:40200/1310uk1/HOME/41/5/1/
http://carcomputer.co.uk/image/1310uk1.rtf
http://phyccess.com/Scripts/Pony.rtf
http://144.76.220.116/gate.php
http://hotelnuovo.com/css/heap_238_id2.rtf
http://wirelesssolutionsny.com/wp-content/themes/Wireless/js/heap_238_id2.rtf
http://isc-libya.com/js/Pony.rtf
http://85.25.152.238/
Also dropped are a couple of executables, egdil.exe (VT 2/54, Malwr report) and twoko.exe (VT 6/55, Malwr report).
Recommended blocklist:
94.75.233.13
144.76.220.116
85.25.152.238
carcomputer.co.uk
phyccess.com
hotelnuovo.com
wirelesssolutionsny.com
isc-libya.com