Fake Invoice/Billing SPAM - PDF malware
11 June 2014 - "Focus Accounts Electronic Invoice and Billing Information for FC4800 is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... Email reads:
Please find attached your May Invoice and, if you have requested them, additional reports relating to the call and line charges on this bill.
Don’t Forget – We provide a host of other products and services including:
Telephone Systems & Maintenance (both traditional and VoIP)
Office Cabling (Cat5)
IT Support & Maintenance, IT Equipment & Installation
Cloud Computing, Hosted Solutions, Data Backup & Antivirus
Broadband, FTTC, EFM, MPLS & Leased Lines
Mobile Phones & Mobile Broadband
Non-Geographic Numbers (0800, 0845, 0844, 0871)
Inbound and Call Centre Solutions
Web Design & Hosting, Search Engine Optimisation (SEO)
Gas & Electricity Procurement
If you have any problems opening the file(s), or would like to discuss your bill, please call us or reply to this email.
11 June 2014 : 211852.zip ( 57kb) : Extracts to report_92da3ec16736842.pdf.exe:
Current Virus total detections: 2/53* . This Focus Accounts is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
Fake RBS SPAM spreads malware via Cubby .com
11 June 2014 - "This -fake bank spam downloads malware from file sharing site cubby .com:
From: Sammie Aaron [Sammie@ rbs .com]
Date: 11 June 2014 12:20
Subject: Important Docs
Please review attached documents regarding your account.
To view/download your documents please click here
Tel: 01322 215660
Fax: 01322 796957
email: Sammie@ rbs .com
This information is classified as Confidential unless otherwise stated.
The download location is [donotclick]www .cubby .com/pl/Document-772976_829712.zip/_e97c36c260ed454d8962503b18e37e86 which downloads a file Document-772976_829712.zip which in turn contains a malicious executable Document-772976_829712.scr which has VirusTotal detection rate of just 1/54*. Automated analysis... show that it creates a file with the disincentive name googleupdaterr.exe and attempts to communicate with the following IPs:
22.214.171.124 (Intergenia AG, Germany)
126.96.36.199 (OVH, Canada)
188.8.131.52 (ITL Company, Ukraine)
Fake Booking .com email - attached ZIP file contains trojan
June 11, 2014 - "... new trojan distribution campaign by email with the subject 'Reservation for Thursday, June 12, 2014 BN_4914940'...
The attached ZIP file has the name BN_4914940.zip and contains the 95 kB large file report_92da3ec16736842.pdf.exe. Please note that the numbers in the subject, message or attachment may vary with each email. The trojan is known as PWSZbot-FXE!3B53E958ECF1 or TrojanSpy.Zbot.herw. At the time of writing, 2 of the 51* AV engines did detect the trojan at Virus Total... Remove the email immediately from your computer. Use the Virus Total permalink* and Malwr permalink** for more detailed information."