The following intelligence brief will offer historical OSINT on the “NACHA security nitification” — the typo is intentionally left as this is how the original campaign was spamvertised — malware campaign.
Spamvertised body:
Dear Valued Client,We strongly believe that your account may have been compromised. Due to this, we cancelled the last ACH transactions:-(ID: 13104924)-(ID: 04804768)-(ID: 37527025)-(ID: 51633547)initiated from your bank account by you or any other person, who might have access to your account.Detailed report on initiated transactions and reasons for cancellation can be found in the attachment.
——————————————————————————————–
The ACH transaction (ID: 83612541), recently sent from your bank account
(by you or any other person), was rejected by the Electronic Payments
Association.
###############################################
Canceled transaction
Transaction ID: 83612541
Reason of rejection See details in the report below
Transaction Report report_1409.pdf.zip (ZIP archive, Adobe PDF)
###############################################
13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100
2011 NACHA – The Electronic Payments Association
Spamvertised attachments: report_1409.pdf.zip; Report-8764.zip
Detection rate:
Report-8764.exe – Gen:Trojan.Heur.FU.bqW@amtJU@oi – 39/43 (90.7%)
MD5 : 7c131fa05e01fc32d8f4efe53aa883d1
SHA1 : 14d52d76dd7ccc595554486027634bf8c9877036
SHA256: 1ad11c1193f0dbcae3766e5cb4094acc137c10430d615e55470cbc41ce6cd03a
Upon execution the sample phones back to:
onemoretimehi.ru/piety.exe – 188.65.208.59; 178.208.91.192 – Email: [email protected]
onemoretimehi.ru/ftp/g.php
piety.exe – MD5: 4bd87ecc4423f0bc15e229ecbf33aa2c
onemoretimehi.ru/tops.exe – MD5: f076dbc365ec7bfc438ad3c728702122; 86c7489ac539a0b57a4d075e723075f0
This post has been reproduced from Dancho Danchev’s blog. Follow him on Twitter.
Leave a reply
