Ongoing Spam Campaign Related to Swift

Published: 2016-06-20
Last Updated: 2016-06-20 13:07:07 UTC
by Xavier Mertens (Version: 1)
4 comment(s)

Some of our readers reported spam messages related to the recent Swift case. With all the buzz around this story, it looks legitimate to see more and more attackers using this scenario to entice victims to open malicious files. The mail subject is "Swift Payment Notice, pls check" and contains an image of a receipt embedded in an HTML page:

The HTML link point to a malicious PE file called "SWIFT COPY.exe" (MD5: 6ccabab506ad6a8f13c6d84b955c3037). The file is downloaded from a compromized Wordpress instance and seems to contain a keylogger. Data are sent to onyeoma5050s.ddns.net. The host resolved to 95.140.125.110 but it is not valid anymore (take down already completed?)

Even if PE files should be blocked by most web proxies, the current VT score remains low (6/55) which still makes it dangerous. 

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Keywords: Malware Spam Swift
4 comment(s)

Comments

[quote]Even if PE files should be blocked by most web proxies, the current VT score remains low (6/55) which still makes it dangerous.[/quote]
OUCH!
PE means Windows is the target.
Do you REALLY think that most of Windows' users sit behind a (filtering) web proxy?
GET REAL!
In corporate environments, chances increase that filters are in place. And companies are targets in such campaigns.
[quote=comment#37267]In corporate environments, chances increase that filters are in place. And companies are targets in such campaigns.[/quote]
In SOHO/HO environments and of course in front of Joe/Jane Average's computer(s) -- even if they run a business or their own company -- you typically won't find a (filtering) proxy.

THAT'S LIFE!
[quote=comment#37267]In corporate environments, chances increase that filters are in place. And companies are targets in such campaigns.[/quote]

In corporate environments you typically have Administrators who can (or should be able to) protect their users for example via SAFER from (not only) this attack vector.

The majority of Windows' users but don't work in such environments.

Diary Archives