MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects “BACS Transfer : Remittance for JSAG823GBP” and “Bankline ROI – Password Re-activation Form”.
BACS Transfer : Remittance for JSAG823GBP
This email is send from the spoofed address “Nikki Ward <email@example.com>” and has the following body:
We have arranged a BACS transfer to your bank for the following amount : 4045.00
Please find details attached.
The attached file BACS_Transfer_AQ004719.zip contains the 32 kB large file BACS_Transfer_AQ004719.scr.
Bankline ROI – Password Re-activation Form
This email is send from the spoofed address “Susanne Babb <Susanne.Babb@rbs.co.uk>” and has the following body:
Please find the Re-activation form attached, send one per user ensuring only one box is selected in section 3. A signatory on the bank mandate must sign the form.
Fax to 1850 835753 or alternatively you may wish to email the completed document, by attaching it to an email and sending it to firstname.lastname@example.org
On receipt of the completed form we will respond to the request within 2 working hours and communicate this to the user by email.
Please note – The life-span of an activation code is 21 days; after this time, the activation code will expire and a new one must be ordered.
Please be aware when choosing a new pin and password for the service, it is important not to use pin/passwords that you have used before but to use completely different details.
If you are the sole Standard Administrator may I take this opportunity to suggest when you are reinstated on the system, to set up another User in a Standard Administrator role. This will prevent you being locked out completely and allow you to order a new activation code from within the system and reset your security sooner.
If you require any further assistance then please do not hesitate to contact us on 1850 750361 and one of our associates will be happy to assist you.
Bankline Product Support
This e-mail message is confidential and for use by the intended recipient only. If the message is received by anyone other than the intended recipient, please return the message to the sender by replying to it and then delete the message from your computer. Internet e-mails are not necessarily secure. Ulster Bank Limited and Ulster Bank Ireland Limited (\”Bankline Bank Group\”)/ Royal Bank of Scotland Group plc does not accept responsibility for changes made to this message after it was sent. Ulster Bank Group / Royal Bank of Scotland Group plc may monitor e-mails for business and operational purposes. By replying to this message you give your consent to our monitoring of your email communications with us. Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by any member of Ulster Bank Group / Royal Bank of Scotland Group plc in this regard and the recipient should carry out such virus and other checks as it considers appropriate.
The attached file Bankline_Password_reset_6265613.zip contains the 32 kB large file Bankline_Password_reset_077812.scr.
The trojan is known as Upatre.GK, HEUR/QVM20.1.Malware.Gen and Trojan.Win32.YY.Gen.7.
At the time of writing, 3 of the 57 AV engines did detect the trojan at Virus Total.