Ongoing Spam Campaign Related to Swift
Some of our readers reported spam messages related to the recent Swift case. With all the buzz around this story, it looks legitimate to see more and more attackers using this scenario to entice victims to open malicious files. The mail subject is "Swift Payment Notice, pls check" and contains an image of a receipt embedded in an HTML page:
The HTML link point to a malicious PE file called "SWIFT COPY.exe" (MD5: 6ccabab506ad6a8f13c6d84b955c3037). The file is downloaded from a compromized Wordpress instance and seems to contain a keylogger. Data are sent to onyeoma5050s.ddns.net. The host resolved to 95.140.125.110 but it is not valid anymore (take down already completed?)
Even if PE files should be blocked by most web proxies, the current VT score remains low (6/55) which still makes it dangerous.
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Reverse-Engineering Malware: Malware Analysis Tools and Techniques | Frankfurt | Dec 9th - Dec 14th 2024 |
Comments
OUCH!
PE means Windows is the target.
Do you REALLY think that most of Windows' users sit behind a (filtering) web proxy?
GET REAL!
Anonymous
Jun 20th 2016
8 years ago
Anonymous
Jun 20th 2016
8 years ago
In SOHO/HO environments and of course in front of Joe/Jane Average's computer(s) -- even if they run a business or their own company -- you typically won't find a (filtering) proxy.
THAT'S LIFE!
Anonymous
Jun 20th 2016
8 years ago
In corporate environments you typically have Administrators who can (or should be able to) protect their users for example via SAFER from (not only) this attack vector.
The majority of Windows' users but don't work in such environments.
Anonymous
Jun 20th 2016
8 years ago