Email with information about an ACH debit transfer created on your behalf leads to malware


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects:

ACH debit transfer was hold by Yolo Community Bank
ACH payroll payment was not accepted by Central Trust and Savings Bank
ACH Transfer was not accepted by Eldorado Bank
ACH debit transfer was hold by The Mechanics Bank
Funds transfer was hold by our bank

The email is send from different spoofed addresses and has the following body:

Dear Madam / Sir,

I regret to inform you that ACH payroll payment initiated by you or on your behalf was not accepted by Central Trust and Savings Bank.

Transaction ID: 17036653478735
Current status of transaction: on hold

Please review transaction details as soon as possible.

Theodore Parham
Payments Administration
Central Trust and Savings Bank

Dear Sir or Madam,

ACH debit transfer created by you or on your behalf was hold by Yolo Community Bank.

Transaction ID: 170038559047
Current status of transaction: on hold

Please review transaction details as soon as possible.

J. J. Shapiro
Payments Administration
Yolo Community Bank

When following the URL under ‘review transaction details’ will lead you to sites like:

hxxp://openmindcomputech.com/zfin.html
hxxp://www.ebappcc.com/zfin.html
This is merely a redirection and will bring you to a host where the malware is hosted. A screen is provided in order to download and install the Adobe Flash Player.
 
The downloaded file has the name update flash.exe and is 233 kB large.

The trojan is known as ***

The following files will be created:

%AppData%\Efoxq\ozabp.ugu
%AppData%\Efoxq\ozabp.ugu.0
%AppData%\Igobig\ziywe.exe
%Temp%\tmp7f99c3f9.bat

The following directories are created:

%AppData%\Efoxq
%AppData%\Igobig

Several Windows registry changes will be exectued and the trojan can establish connection with the IP 64.252.17.231 on port 11760.

At the time of writing, only 12 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: c5d161117328f8101f92442f19dbc96e.

Uncategorized

2 thoughts on “Email with information about an ACH debit transfer created on your behalf leads to malware

  1. just received one from 30132265673692NACHA
    regarding $80661,13 ACH debit transfer was Hold

    deleted
    thanks
    PDM

  2. Just received one:

    This is an automated e-mail.
    PLEASE DO NOT RESPOND TO THIS EMAIL ACCOUNT.
    This account is not reviewed for responses.

    This email is to confirm that on 07/17/2013, 3M’s bank (JP Morgan) has debited $7,184.97 from your bank account.

    If you have any questions, please visit the 3M EIPP Helpline at this link.

Comments are closed.