This spam has an encrypted ZIP file attached that contains malware. The passwords and filenames will vary.
From: Fiserv Secure Notification [mailto:[email protected]]
Sent: Tue 16/04/2013 14:02
Subject: [WARNING : MESSAGE ENCRYPTED] Fiserv Secure Email Notification – CC3DK9WJW8IG0F5
You have received a secure message
Read your secure message by opening the attachment, Case_CC3DK9WJW8IG0F5.zip.
The attached file contains the encrypted message that you have received.
To decrypt the message use the following password – KsUs3Z921mA
To read the encrypted message, complete the following steps:
– Double-click the encrypted message file attachment to download the file to your computer.
– Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
– The message is password-protected, enter your password to open it.
To access from a mobile device, forward this message to [email protected] to receive a mobile login URL.
If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.979.7673.
2000-2013 Fiserv Secure Systems, Inc. All rights reserved.
In the case of the sample I have seen, there is an attachment Case_CC3DK9WJW8IG0F5.zip which unzips using the supplied password to Case_Fiserv_04162013.exe (note the date is encoded into the filename).
At the time of writing, VirusTotal results are just 5/46. The Comodo CAMAS report is here, the ThreatExpert report here and the ThreatTrack sandbox report can be downloaded from here (this is the most detailed one). This seems to be a Zbot variant.
The bad IPs involved are:
18.104.22.168 (Linode, US)
22.214.171.124 (OTEnet, Greece)
126.96.36.199 (Caucasus Online Ltd, Georgia)
188.8.131.52 (1&1, Germany)
184.108.40.206 (AT&T, US)
220.127.116.11 (BSNL Internet, India)
18.104.22.168 (MTNL, India)
22.214.171.124 (ABTS Tamilnadu, India)
126.96.36.199 (Reliance Communications, India)
188.8.131.52 (Caucasus Online Ltd, Georgia)
184.108.40.206 (Telefonica de Argentina, Argentina)
220.127.116.11 (CANTV Servicios, Venezuela)
18.104.22.168 (Telefonica, Spain)
22.214.171.124 (Kyvon, US)
126.96.36.199 (CANTV Servicios, Venezuela)
188.8.131.52 (Doruknet, Turkey)
Leave a reply