Phishing attempt in fake KBC email: “KBC Bankkaart beveiliging”


MX Lab, http://www.mxlab.eu, intercepted a new phishing campaign by email with the subject “KBC Bankkaart beveiliging”.

This email is send from the spoofed address “KBC Bank <kbc@kbc-mailing.be>” and has the following body:

Geachte KBC Klant,

We hebben onlangs een melding ontvangen waaruit blijkt dat er is geprobeerd in te loggen met een buitenlandse IP op uw bankrekening.

Hierom hebben wij de benodigde maatregelen genomen om uw betaalrekening optimaal beveiligen,en gaan wij uw oude
bankkaart vervangen met een nieuwe beveiligde bankkaart.

Dat gaat als volgt:
1 Uw dient uw oude bankkaart(en) op te sturen naar

Tnv: KBC Recycle-Punt
Adres:ISABELLALEI 120
2018 ANTWERPEN

2 Om het proces afteronden dient u op de onderstaande link te klikken

Aanvraag afronden

Vervanging bankkaart is geheel gratis.
U bankkaart wordt millieuvriendelijk vervangen.
Voor 18:00 uur op de post. Ontvangt u uw nieuwe bankkaart de eerstvolgende werkdag. (na ontvangst van u oude bankkaart)
Let op: Na 25 juli 2016 kunt u geen gebruik maken van uw oude bankkaart.
Indien u vanaf de genoemde datum nog steeds uw oude bankkaart in bezit heeft wordt ook uw KBC-Online
Internetbankieren geblokkeerd.

Met vriendelijke groet,

KBC Fraudehelpdesk

In this fake email, written in Dutch and therefore targeting clients of KBC in Belgium, instructions are passed on to send the old bank cards towards and address, that is specified in this email and follow an embedded URL.

Since the host has taken offline the malicious web page, we can’t review the whole process but perhaps this campaign has multiple URLs or a new variant may appear soon. We assume that on the malicious web site, more details will be asked like your name and of course the PIN code of the bank card.

MX Lab recommends not to follow any instructions in emails regarding your bank card and/or usage of your pin code. Bank companies will never provide you instructions by email and if you are uncertain, please contact your local bank before following the instructions.

New malware in email “fixed invoice”


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “fixed invoice”.

This email is send from the spoofed addresses and has the following body:

I am very sorry for the wrong data file you received from me yesterday.
Attached is the fixed invoice

—–

Yours truly,

Viola Mccray
STATPRO GROUP
phone: +1 (151) 355-16-68
fax +1 (151) 355-16-45
Index: 0d83e1e98e306cda964c29182bb9fe9bdaed
e-mail: Mccray.22@iaama.org.au

I am very sorry for the wrong data file you received from me yesterday.
Attached is the fixed invoice

—–

Yours faithfully,

Connie Pugh
IMPAX ASSET MANAGEMENT GROUP PLC
phone: +1 (787) 307-00-33
fax +1 (787) 307-00-20
Index: 8693c4f8e80bb0f9f9523c15af2dda656611b4e66004cda911
e-mail: Pugh.7714@sugarcreekheatingcooling.com

The attached file update_0546.zipcontains the file AT0002875.wsf which is a Windows Script File.

The malware is detected by 354 AV engines at Virus Total.

Email “Detran-Informa (47402)” contains URL to malicious VBS script


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with sutbjects like:

Detran-Informa (47402)
ipva-2016 – detran (51511)

This email is send from the spoofed addreses and has the following body:

e Débitos Relativos IPVA 2016
____________________________________________________________________

EXTRATO DE DÉBITO IPVA 2016

Prezado Condutor(a),

Comunicamos que consta em nosso banco de dados Debitos Relativos IPVA 2016
em seu CPF / CNPJ, das quais não foram quitadas nas respectivas datas de vencimento.

Pedimos a vossa atenção a este comunicado, pois, medidas legais serão adotadas, tais
como a inclusão em nosso Sistema DIVIDA ATIVA e Bloqueio no Cadastro
Nacional de Pessoa Física, bem como no Cadastro Nacional de Pessoa Jurídica.

Consulte os débitos existentes relativos à:

IPVA
Multas de trânsito, CETESB e RENAINF
Taxa de licenciamento
DPVAT
Debitos Pendente.Pdf

“AS INFORMACOES ACIMA, DE USO EXCLUSIVO DO DESTINATARIO, SAO PROTEGIDAS POR SIGILO
CONTRATUAL. SUA UTILIZACAO POR OUTRA PESSOA, OU PARA FINALIDADE DIVERSA DA CONTRATADA,
CARACTERIZA ILICITO CIVIL, TORNANDO A PROVA IMPRESTAVEL PARA O PROCESSO”.

IPVA 2016 – http://www.denatran.serpro.gov.br

The embedded URL, that uses a bit.ly address, will download a VBS file that is detected as Trojan-Downloader.VBS.Agent.bwv by 1/54 AV engines at Virus Total.

New Javascript malware: Invoice


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Invoice”.

This email is send from the spoofed addresses and has the following body:

Please find the invoice attached.
How about meeting on Friday?

Yours truly,
Celia Mack

SANDERSON GROUP
Phone +1 (034) 518-10-59
Fax +1 (034) 518-10-15
Reply-Index: b4f80c6e9044369fb9e48407131505b7b26a779c8461
e-mail: Mack.44368@boukouvalas.org

The attached file 3dalain_1819047.zip contains the file INV000 fd64.js. Note that the signature in the email and the filenames of the ZIP archive and the payload may change with each email.

The malware is detected by 6/53 AV engines at Virus Total. and more detailed information is available on Malwr.

Email “RE: Order Ref:160627/Sample Images” contains malicious jar attachments


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “RE: Order Ref:160627/Sample Images”

This email is send from the spoofed addresses and has the following body:

Dear Sir/Madam,

We are interested in importing products as listed in the attached.

Quantity Required : 1×20′ Container

Shipping Terms : FOB

Destination Port : Hong Kong

Payment Terms : Negotiable

Looking for suppliers from : Worldwide

Regards

Contact : Adam Jaffari

COMPANY : Silver Star Investment Ltd
ADDRESS : Unit 08, 12 Floor, Inter-Continental Plaza, 94 Granville Road,T.S.T. East, Kowloon
PHONE : 852-23 69 06 90 852-90234794
EMAIL : ozkgroup@yahoo.com

{VERIFIED BUYLEAD}

______________________________________________________________
______________________________________________________________
To respond to this inquiry mailto:ozkgroup@yahoo.com
Email : ozkgroup@yahoo.com
______________________________________________________________

The attached files Order_00118302-pdf.jar and IMG_00001182-pdf.jar are detected by 6/56 AV engines at Virus Total.

New Javascript malware with subject “Corresponding Invoice” leads to Locky


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Corresponding Invoice”.

This email is send from the spoofed addresses and has the following body:

Dear pyhewliof:

Thank you for your email regarding your order of 21 June, and sorry for the delay in replying. I am
writing to confirm receipt of your order, and to inform you that the item you requested will be delivered
by 25 June at the latest. If you require more information regarding this order, please do not hesitate to
contact me.

Also, our records show that we have not yet received payment for the previous order of 11 June,
so I would be grateful if you could send payment as soon as possible. Please find attached the
corresponding invoice.

If there is anything else you require, our company would be pleased to help. Looking forward to
hearing from you soon.

Yours sincerely
Ollie Fields
Distributor Sales Manager EMEA

The attached file pyhewliof_unpaid_351165.zip contains the file unpaid-4716.js. The header of the email and naming of the attached IZP archive will vary with each email.

The malware is detected by 1/53 AV engines at Virus Total. Malwr analysis shows that different download locations are being used:

personal-architecture.nl/6gcpaey
ding-a-ling-tel.com/b289dg
plasticsmachine.com/d43ndxna
hyip-all.com/9qwmc65

The malware is detected by 8/56 AV engines at Virus Total.

New Javascript malware in ZIP archive by email message with subject “Re:”


MX Lab, http://www.mxlab.eu, started to intercept a new large malware distribution campaign by email with the subject “Re:”.

This email is send from the spoofed addresses and has the following body:

Dear carlasvhue:

Please find attached our invoice for services rendered and additional disbursements in the above-
mentioned matter.

Hoping the above to your satisfaction, we remain.

Sincerely,
Lynnette Fernandez
Executive Director Finance & Information Systems

The attached file services_carlasvhue_451648.zip (format name_recipient_numbers.zip) contains the file addition-029.js (format addition_number.js). This file contains an obfuscated Javascript.

The malware is detected as Js.Trojan.Raas.Auto or  virus.js.gen.85 by 2/55 AV engines at Virus Total.

Follow

Get every new post delivered to your Inbox.

Join 2,030 other followers