Fake email with subject “Direct Debiting Seminar Invite” from employee of Natwest contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Direct Debiting Seminar Invite”

This email is send from the spoofed address “BBB <noreply@bbb.org>” and has the following body:

Good morning,

Please find attached the above, which I thought that you maybe interested in attending.

Kind Regards.

Graham Nevin
Senior Relationship Manager
Commercial Banking
NatWest
1 St Paul’s Place
121 Norfolk Street
Sheffield S1 2JF

Telephone: 0114 2066516
Fax: 0114 2723130
Mobile: 07801 194982
Email: graham.nevin@rbs.co.uk

National Westminster Bank Plc, Registered in England No. 929027. Registered Office: 135 Bishopsgate, London EC2M 3UR.

Authorised and regulated by the Financial Services Authority.

This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer.
Internet e-mails are not necessarily secure. National Westminster Bank Plc does not accept responsibility for changes made to this message after it was sent. National Westminster Bank Plc may monitor e-mails for business and operational purposes. By replying to this message you give your consent to our monitoring of your email communications with us.

Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by National Westminster Bank Plc in this regard and the recipient should carry out such virus and other checks as it considers appropriate.

The attached ZIP file has the name invitation5549DA0FBCA8A4A69EB.zip and contains the 95 kB large file invitation.exe.

The trojan is known as UDS:DangerousObject.Multi.Generic.

This trojan has the capability to download other files from the internet.

It will create a file %Temp%\104125.bat and modify some Windows registry values.

The trojan will make a connection with the following hosts to read the file:

hxxp://62.76.179.167/0411.exe
hxxp://85.143.166.167/oni/0411.exe

Files are also being downloaded from:

hxxp://networksecurityx.hopto.org

MX Lab managed to download the file 0411.exe which is  approx. 340 kB large. Analysis at Virus Total shows that this file is not detected as a threat yet.

This new file will create a process yqur.exe on the infected system, cteate a new memory page in the address space of the system process(es) cmd.ex, modifies some Windows registry values and can download/connect to other hosts.

At the time of writing, 1 of the 47 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: add1271b7b4a7cd50318f6c0c1e969f0f46b53dce695a2b5e51c4289da1f8071.
Malwr permalink and SHA256: c9f5937b5c33f62a0c2e27ca3b8ecfc4e1af755140ad1cc279f6975c95b3938e.

17 Responses to Fake email with subject “Direct Debiting Seminar Invite” from employee of Natwest contains trojan

  1. Aniki says:

    You have the Malwr hash?

  2. Lizzie says:

    I received 4 of these emails today. Rang Natwest fraud line – thought they might be interested. Apparently not! Just asked me to forward it to them but gave an air of total indifference. Thankfully, I don’t bank with them.

  3. Chas says:

    I am curious where they got their list of email addresses to target. I have had this sent to a few, but one of them has only been used with Government Gateway and NatWest FastPay.

  4. Fs Ck says:

    Interestingly I have had two emails to two addresses EXCLUSIVELY used with Santander in UK. I run all my banking in a non-persistent Linux live-distro and therefore this MUST have been from a bank security breach. I have around 500 different email addresses and not a single one of the others have had a similar email in 5 years. In fact no spam filtering and this is the first phishing email in 5 years.

    Santander – you have been hacked…

    • Chas says:

      That’s another possible link Fs Ck – I’ve also used Santander bank accounts. Your email not hosted by Easyspace by any chance ?

      • Steven K says:

        I also had this email on an account ONLY used by Santander UK, I’ve never had anything to do with Easyspace.

        What are the chances of Santander owning up and emailing everybody in their mailing list and warning them their email addresses have been exposed, I would rate it at slim to none…..

    • Phil says:

      Same here, both myself and a friend using unique email addresses only Santander has, both received several of these emails. The fact it contains a banking related subject seems to suggest the people getting hold of these email addresses know the source for them, and assumed the recipients would be more susceptible to a banking related subject. One email address Santander has had for 8 years, never been SPAM’d until now.

      I’ve forwarded details to their phising email address, I expect it will be swept under the carpet.

  5. Loz says:

    Just had the email and this was also sent to an address used exclusively for Santander.

  6. Danhotrod says:

    Interesting thread. And guess what, my son and I also received the emails, we both bank with Santander, and both use a specific email address for use as contact details for the bank. We both run Linux too so little chance the emails have been harvested from our PCs. It does feel like this stems from Santander.

  7. mxlab says:

    For your information, SC Magazine UK has written an article regarding this virus outbreak. You can read it at http://www.scmagazineuk.com/banks-investigate-security-breach-allegations/article/319643/

  8. sthen says:

    Same here, email sent to an address which I created specifically to give to Santander when I used to be a customer.

  9. Matthew says:

    Again, same here – email sent to an email address only given to Santander.

  10. Chas says:

    A new wave of emails has arrived to addresses stolen from Santander systems:

    Voice Message Notification
    You received a new message from Skype voicemail service.

    Message Details:
    Time of Call: Wed, 27 Nov 2013 02:20:21 +0200
    Length of Call: 26sec

    Listen to the message in the attached file.

    Contents of attached Skype_Voice_Message.zip detected as:
    Luhe.Fiha.A

  11. Pingback: ste williams – Oi, bank manager. Only you’ve got my email address

  12. Pingback: Oi, bank manager. Only you’ve got my email address – where’re these TROJANS coming from? | Gens News

Follow

Get every new post delivered to your Inbox.

Join 318 other followers

%d bloggers like this: