Similar to yesterday’s junk… another set has come through today with subjects similar to:
Payment Advice – Advice Ref:[GB<RANDOM>] / CHAPS credits
Content of
Sir/Madam,
Please download document from dropbox, payment advice is issued at the
request of our customer. The advice is for your reference only.Download link:
http://www.cell-sorb-plus.com/NATWEST_RELEASES/bankline.html
Yours faithfully,
Global Payments and Cash Management
HSBC***************************************************************************
This is an auto-generated email, please DO NOT REPLY. Any replies to
this email will be disregarded.***************************************************************************
Security tips1. Install virus detection software and personal firewall on your
computer. This software needs to be updated regularly to ensure you have
the latest protection.
2. To prevent viruses or other unwanted problems, do not open
attachments from unknown or non-trustworthy sources.
3. If you discover any unusual activity, please contact the remitter of
this payment as soon as possible.*******************************************************************
This e-mail is confidential. It may also be legally privileged. If you
are not the addressee you may not copy, forward, disclose
or use any part of it. If you have received this message in error,
please delete it and all copies from your system and notify the
sender immediately by return e-mail.Internet communications cannot be guaranteed to be timely, secure, error
or virus-free. The sender does not accept liability
for any errors or omissions.
*******************************************************************
“SAVE PAPER – THINK BEFORE YOU PRINT!”
I forgot to post yesterday but one of the addresses the junk was sent to… was an e-mail address I had given to meraki, a mobile device management company now owned by Cisco!.
URLs involved in distributing the initial malware or dropper:
http://www.callproc.com/NATWEST_RELEASES/bankline.html
http://www.cell-sorb-plus.com/NATWEST_RELEASES/bankline.html
http://www.alastaya.com/NATWEST_RELEASES/bankline.html
http://www.avralab.com/NATWEST_RELEASES/bankline.html
http://wss.ac.th/NATWEST_RELEASES/bankline.html
http://TEOTHERM.COM/NATWEST_RELEASES/bankline.html
This time it serves a zip file called “doc676_pdf.zip” containing “doc649_pdf.exe” – VirusTotal Report / Malwr Report
SHA256: f04c3ed5715a53929e96b1a8256d2ff323122f5535581a7df7404a00c6365570