Not that new, but still noteworthy the spammers seem to be abusing WelssFargo (an American bank) as trusted sender. This is simple mail spoofing.
 |
| Mail from "Georgina Franks" |
Some example senders (where it seems to come from):
Evelyn_Piper@wellsfargo.com
Georgina_Franks@wellsfargo.com
Noe_Zavala@wellsfargo.com
As far as I could find, these email addresses do not even exist.
The mail itself is actually coming from the Pushdo botnet. Example IPs:
173.167.205.149 - IPVoid Result
209.181.66.178 - IPVoid Result
All the links in the mail are legit, this to convince you that the attachment will be legit as well. When opening the ZIP file (which is named WellsFargo.yourmailprefix) , you're presented with a what-looks-like a PDF file, but is in fact an EXE file:
MD5: 47e739106c24fbf52ed3b8fd01dc3668
VirusTotal Report
Anubis Report
Malwr Report
This malware is known as Fareit (or Tepfer). According to Microsoft:
Win32/Fareit is a multiple component malware family that consists of a password stealing component, PWS:Win32/Fareit, that steals sensitive information from the affected user's computer and sends it to a remote attacker, and a Distributed Denial of Service (DDoS) component, DDoS:Win32/Fareit.gen!A, that may be commanded to perform flooding attacks against other servers.
When executing the file it looks for quite a lot of data to steal, as well to phone home to update its configuration files and download additional malware (Zeus).Below you can find an image on the data (information) it tries to steal:
 |
| List of programs it tries to extract username/password from |
So besides all this, it additionally downloads Zeus (the payload), which tries to steal banking credentials and others... If you'd think Fareit is enough, guess again! There's a good image made by the FBI how the Zeus 'scheme' or malware works:
 | ||||||
| Cyber Theft Ring details |
The downloaded Zeus files are all having a very low detection rate on VirusTotal. Hint:
check out the VirusTotal report from the sample above and click on the tab "Behavioural Information". Note the links are live!
Conclusion
- Don't open any attachment(s) of unknown senders. In fact, don't even open mail from unknown senders.
- Don't be fooled by mail spoofing, you can view the real source by right-clicking your mail and choosing "View Source". (This depends on your mailclient though.)
- Don't be fooled by the fancy icons, they are actually EXE files. You can enable an option in Windows so you're always sure of the filetype being used:
Enable Viewing of Filename Extensions for Known File Types - Install an antivirus and antimalware product and keep it up-to-date & running.
- If you're in an organisation, you might want to block the following IPs:
173.255.213.171
173.201.59.32
62.149.131.162
173.254.68.134
207.204.5.170
108.233.198.131
99.159.193.22
95.249.114.32
122.178.149.88
211.209.241.213
181.67.50.91
108.74.172.39
142.136.161.103
84.59.138.75
66.63.204.26
89.122.155.200
76.226.112.216
182.68.130.230
200.180.176.65
94.67.83.244
24.120.165.58
87.66.14.62
2.180.24.120
41.34.11.17
71.43.167.82
99.98.209.3
50.141.158.229
82.211.180.109
173.194.67.105
173.194.67.94
90.156.118.144
116.202.222.102
90.189.54.253
212.182.121.226
184.80.8.18
79.29.227.158
112.78.142.66
201.122.96.80
5.199.171.133
199.7.177.218
74.120.9.245
173.255.213.171
173.201.59.32
62.149.131.162
173.254.68.134
207.204.5.170
74.125.24.105
74.125.24.94
78.140.131.151
201.245.14.237
64.4.10.33:123
201.245.14.237
94.67.83.244
76.226.112.216
178.40.101.100
78.100.36.98
87.66.14.62
190.21.64.25
187.153.52.160
Stay safe.
.JPG)
0 comments:
Post a Comment