Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Ongoing Spam Campaign Related to Swift InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Ongoing Spam Campaign Related to Swift

Published: 2016-06-20
Last Updated: 2016-06-20 13:07:07 UTC
by Xavier Mertens (Version: 1)
4 comment(s)

Some of our readers reported spam messages related to the recent Swift case. With all the buzz around this story, it looks legitimate to see more and more attackers using this scenario to entice victims to open malicious files. The mail subject is "Swift Payment Notice, pls check" and contains an image of a receipt embedded in an HTML page:

The HTML link point to a malicious PE file called "SWIFT COPY.exe" (MD5: 6ccabab506ad6a8f13c6d84b955c3037). The file is downloaded from a compromized Wordpress instance and seems to contain a keylogger. Data are sent to onyeoma5050s.ddns.net. The host resolved to 95.140.125.110 but it is not valid anymore (take down already completed?)

Even if PE files should be blocked by most web proxies, the current VT score remains low (6/55) which still makes it dangerous. 

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Keywords: Malware Spam Swift
4 comment(s)
Diary Archives