Last Updated: 2016-06-20 13:07:07 UTC
by Xavier Mertens (Version: 1)
Some of our readers reported spam messages related to the recent Swift case. With all the buzz around this story, it looks legitimate to see more and more attackers using this scenario to entice victims to open malicious files. The mail subject is "Swift Payment Notice, pls check" and contains an image of a receipt embedded in an HTML page:
The HTML link point to a malicious PE file called "SWIFT COPY.exe" (MD5: 6ccabab506ad6a8f13c6d84b955c3037). The file is downloaded from a compromized Wordpress instance and seems to contain a keylogger. Data are sent to onyeoma5050s.ddns.net. The host resolved to 126.96.36.199 but it is not valid anymore (take down already completed?)
Even if PE files should be blocked by most web proxies, the current VT score remains low (6/55) which still makes it dangerous.
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant