Targeted e-mail attacks asking to verify wire transfer details

Targeted e-mail attacks asking to verify wire transfer details
There is a new e-mail wave doing the rounds (we have reports from June 3 & 4). It is a very targeted e-mail attack against different organizations, that contains an attached malware specimen in the form of a RTF file, called "details.rtf". The mail asks the victim to verify a wire transfer, being the malicious attachment the alleged wire statement. In some of the cases, the victims are indeed financial personel within the target organization in charge of daily wire transfers. Time to spread an internal awareness campaign in your financial departments! The current AV detection rate is low (according to VirusTotal) for the samples we have received: 7/39 - SHA1 : 0f7288043f556542744fd2c87511ff002b5d5379 4/39 - SHA1 : e248fd659415f15d1238063efd1f122f91ac071c The spare phishing e-mail looks like this: `-- From: Kenneth Duford [mailto:ken.duford@<VARIOUS-DOMAINS>] Sent: Wednesday, June 0X, 2009 XX:XX PM To: <VICTIM E-MAIL> Subject: Re:Please verify wire details``<VICTIM NAME>` The wire transfer has been released. BENEFICIARY : <VICTIM NAME> ABA ROUTING# : XXXX1197 ACCOUNT# : XXX-XXX-XXX394 AMMOUNT : $17,653.15 <TARGETED VICTIM COMPANY NAME> Please check the wire statement attached and let me know if everything is correct. I am waiting for your reply. Kenneth Duford --- On Sun, 02/06/09, <VICTIM NAME> <VICTIM E-MAIL> wrote: From: <VICTIM NAME> <VICTIM E-MAIL> Subject: wire transfer To: ken.duford@<VARIOUS-DOMAINS> Date: Mon, 1 June 2009, 10:47 AM We still haven't received the wire transfer. Thank you <VICTIM NAME> `--` Some of the domains we have seen in the "From" field are pinnaclerestaurantcorp.com and teoinc.com. An early analysis thanks to fellow handler Pedro confirms the exe (or .scr) component is trying to connec to "abfforms.com", with this specific URL: "/bluehost/index.php?open=myid". Currently the site is suspended. Thanks to the ISC readers (that want to remain anonymous) for the initial details and samples. -- Raul Siles www.raulsiles.com	Raul Siles 152 Posts Jun 4th 2009
Thread locked Subscribe	Jun 4th 2009 1 decade ago
We also have seen this with a domain from field of VESUVION.COM. File details.rtf received on 2009.06.09 16:05:12 (UTC) Result: 6/33 (18.19%) Antivirus Version Last Update Result a-squared 4.5.0.18 2009.06.09 - AhnLab-V3 5.0.0.2 2009.06.09 - AntiVir 7.9.0.183 2009.06.09 - Antiy-AVL 2.0.3.1 2009.06.09 - Authentium 5.1.2.4 2009.06.09 - Avast 4.8.1335.0 2009.06.08 - BitDefender 7.2 2009.06.09 Trojan.Downloader.Delf.OPN CAT-QuickHeal10.00 2009.06.09 - ClamAV 0.94.1 2009.06.09 - Comodo 1296 2009.06.09 - eSafe 7.0.17.0 2009.06.09 - eTrust-Vet 31.6.6549 2009.06.09 - F-Prot 4.4.4.56 2009.06.08 - Gdata 19 2009.06.09 Trojan.Downloader.Delf.OPN Ikarus T3.1.1.59.0 2009.06.09 - K7AntiVirus 7.10.757 2009.06.08 - McAfee 5641 2009.06.09 Generic Downloader.c McAfee+Artemis 5640 2009.06.08 Generic Downloader.c McAfee-GW-Edition 6.7.6 2009.06.09 - Microsoft 1.4701 2009.06.09 TrojanDownloader:Win32/Agent.KHI NOD32 4141 2009.06.09 - Norman 6.01.09 2009.06.09 - nProtect 2009.1.8.0 2009.06.09 - Panda 10.0.0.14 2009.06.09 - PCTools 4.4.2.0 2009.06.09 - Prevx 3.0 2009.06.09 - Sophos 4.42.0 2009.06.09 Mal/RtfExe-A Sunbelt 3.2.1858.2 2009.06.09 - Symantec 1.4.4.12 2009.06.09 - TheHacker 6.3.4.3.342 2009.06.08 - TrendMicro 8.950.0.1092 2009.06.09 - ViRobot 2009.6.9.1775 2009.06.09 - VirusBuster 4.6.5.0 2009.06.09 - Additional information File size: 129465 bytes MD5...: 964f36fcce949151b05d178dc31adc67 SHA1..: ef1a7f99a539125adf961056679e8f6033e5d910 SHA256: dede5f42af2ba2684d4451f563cd79cdb37961591c4faf73bcbc3c99a5d9e694 ssdeep: - PEiD..: - TrID..: File type identification Rich Text Format (100.0%) PEInfo: - PDFiD.: - RDS...: NSRL Reference Data Set	Anonymous
Quote	Jun 9th 2009 1 decade ago