This fake Wells Fargo spam run comes with one of two malicious attachments:
Date: Mon, 10 Jun 2013 13:00:13 -0500 [14:00:13 EDT]There is a ZIP file attached to the email message, and the spammers have attempted to name the attachment after the recipient.. but because the spam has multiple recipients it may end up with a random name. Inside the ZIP file is an EXE file, and there appear to be two variants.
From: Anthony_Starr@wellsfargo.com
Subject: IMPORTANT – WellsFargo
Please check attached documents.
Anthony_Starr
Wells Fargo Advisors
817-563-9816 office
817-368-5471 cell Anthony_Starr@wellsfargo.com
ATTENTION: THIS E-MAIL MAY BE AN ADVERTISEMENT OR SOLICITATION FOR PRODUCTS AND SERVICES.
To unsubscribe from marketing e-mails from:
. An individual Wells Fargo Advisors financial advisor: Reply to one of his/her
e-mails and type “Unsubscribe” in the subject line.
. Wells Fargo and its affiliates: Unsubscribe at
www.wellsfargoadvisors.com/unsubscribe. Neither of these actions will affect delivery of
important service messages regarding your accounts that we may need to send you or
preferences you may have previously set for other e-mail services.
For additional information regarding our electronic communication policies, visit
http://wellsfargoadvisors.com/disclosures/email-disclosure.html .
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.
One is called Important WellsFargo Doc.exe and it has a pretty shocking VirusTotal detection rate of 0/47 (yup.. none at all). The Comodo CAMAS report gives the following checksums..
| Name | Value |
|---|---|
| Size | 94720 |
| MD5 | 70e604777a66980bcc751dcb00eafee5 |
| SHA1 | 52ef61b6296f21a3e14ae35320654ffe3f4e769d |
| SHA256 | f669768216872c626abc46e4dd2e0b1d783ba5927166282922c16d6db3b8adae |
..it identifies that this version of the malware attempts to download additional components from mceneryfinancial.com on 173.255.213.171 (specifically it is a pony downloader querying /ponyb/gate.php). More of this later. ThreatTrack has a more detailed report which also identifies callbacks to www.errezeta.biz and ftp.myfxpips.com. ThreatExpert has a slightly different report and further identifies megmcenery.com, taxfreeincomenow.com, taxfreeincomenow.info and 207.204.5.170 (Linode, US).
The second version has a similarly named files called Important WellsFargo Docs.exe (plural) with a higher VirusTotal detection rate of 11/46. Comodo CAMAS reports the following file characteristics..
| Name | Value |
|---|---|
| Size | 114176 |
| MD5 | 47e739106c24fbf52ed3b8fd01dc3668 |
| SHA1 | b85b4295d23c912f9446a81fd605576803a29e53 |
| SHA256 | 2d0d16d29ceca912d529533aa850f1e1539f4b509ea7cb89b8839f672afb418b |
..in this case the pony download contacts hraforbiz.com (also on 173.255.213.171). Other analyses are pending.
Several of these malware domains are hosted on 173.255.213.171 (Linode, US) and we can assume that this server is compromised along with all the domains on it. 62.149.131.162 (Aruba, Italy) also seems to be compromised. 173.254.68.134 (Unified Layer, US) and 207.204.5.170 (Register.com, US) appear to be compromised in some way to. Of note is the fact that almost all of these domains appear to be legitimate but have been hacked in some way, I would expect them to be cleaned up at some point in the future.
Putting all these IPs and domains together gives a recommended blocklist:
173.254.68.134
173.255.213.171
207.204.5.170
62.149.131.162
911mx.com
aquaresi.it
arpa.sardegna.it
artisticlubsportincontro.it
babyfattoria.it
clipboom.it
comerioturismo.com
designedtextilesolutions.com
errezeta.biz
escortelegant.com
ftp.myfxpips.com
ganciocielo.com
gosuccessmode.com
gtti.it
hotelvillamaria.net
hraforbiz.com
itisrighi.fg.it
margueritemcenery.com
mceneryfinancial.com
megmcenery.com
pescareamessina.com
pizzotti.net
polisportivaairoldi.eu
salviamofirenze.it
shrinerapparel.com
shrinersapparel.com
shrinersapparel.net
sidmodena.it
stesrl.it
stivi.it
taxfreeincomenow.com
the-exhibitionist- journal.com
uniformexpert.com
uniformexperts.com
uniformoutfitter.net
uniformoutfitters.net
Leave a reply
