“Payment Advice – Advice Ref:[GB813730] / CHAPS credits” Spam / Virus

Posted on January 15, 2015 by

Similar to yesterday’s junk… another set has come through today with subjects similar to:

Payment Advice – Advice Ref:[GB<RANDOM>] / CHAPS credits

Content of

Sir/Madam,

Please download document from dropbox, payment advice is issued at the
request of our customer. The advice is for your reference only.

Download link:

http://www.cell-sorb-plus.com/NATWEST_RELEASES/bankline.html

Yours faithfully,
Global Payments and Cash Management
HSBC

***************************************************************************

This is an auto-generated email, please DO NOT REPLY. Any replies to
this email will be disregarded.

***************************************************************************
Security tips

1. Install virus detection software and personal firewall on your
computer. This software needs to be updated regularly to ensure you have
the latest protection.
2. To prevent viruses or other unwanted problems, do not open
attachments from unknown or non-trustworthy sources.
3. If you discover any unusual activity, please contact the remitter of
this payment as soon as possible.

*******************************************************************
This e-mail is confidential. It may also be legally privileged. If you
are not the addressee you may not copy, forward, disclose
or use any part of it. If you have received this message in error,
please delete it and all copies from your system and notify the
sender immediately by return e-mail.

Internet communications cannot be guaranteed to be timely, secure, error
or virus-free. The sender does not accept liability
for any errors or omissions.
*******************************************************************
“SAVE PAPER – THINK BEFORE YOU PRINT!”

I forgot to post yesterday but one of the addresses the junk was sent to… was an e-mail address I had given to meraki, a mobile device management company now owned by Cisco!.

URLs involved in distributing the initial malware or dropper:

http://www.callproc.com/NATWEST_RELEASES/bankline.html
http://www.cell-sorb-plus.com/NATWEST_RELEASES/bankline.html
http://www.alastaya.com/NATWEST_RELEASES/bankline.html
http://www.avralab.com/NATWEST_RELEASES/bankline.html
http://wss.ac.th/NATWEST_RELEASES/bankline.html
http://TEOTHERM.COM/NATWEST_RELEASES/bankline.html

This time it serves a zip file called “doc676_pdf.zip” containing “doc649_pdf.exe” – VirusTotal Report / Malwr Report
SHA256:     f04c3ed5715a53929e96b1a8256d2ff323122f5535581a7df7404a00c6365570

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Cancel

Connecting to %s