Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Ongoing Spam Campaign Related to Swift - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Ongoing Spam Campaign Related to Swift

Some of our readers reported spam messages related to the recent Swift case. With all the buzz around this story, it looks legitimate to see more and more attackers using this scenario to entice victims to open malicious files. The mail subject is "Swift Payment Notice, pls check" and contains an image of a receipt embedded in an HTML page:

The HTML link point to a malicious PE file called "SWIFT COPY.exe" (MD5: 6ccabab506ad6a8f13c6d84b955c3037). The file is downloaded from a compromized Wordpress instance and seems to contain a keylogger. Data are sent to onyeoma5050s.ddns.net. The host resolved to 95.140.125.110 but it is not valid anymore (take down already completed?)

Even if PE files should be blocked by most web proxies, the current VT score remains low (6/55) which still makes it dangerous. 

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Xme

465 Posts
ISC Handler
Quote:Even if PE files should be blocked by most web proxies, the current VT score remains low (6/55) which still makes it dangerous.

OUCH!
PE means Windows is the target.
Do you REALLY think that most of Windows' users sit behind a (filtering) web proxy?
GET REAL!
Anonymous
In corporate environments, chances increase that filters are in place. And companies are targets in such campaigns.
Xme

465 Posts
ISC Handler
Quoting Xme:In corporate environments, chances increase that filters are in place. And companies are targets in such campaigns.

In SOHO/HO environments and of course in front of Joe/Jane Average's computer(s) -- even if they run a business or their own company -- you typically won't find a (filtering) proxy.

THAT'S LIFE!
Anonymous
Quoting Xme:In corporate environments, chances increase that filters are in place. And companies are targets in such campaigns.


In corporate environments you typically have Administrators who can (or should be able to) protect their users for example via SAFER from (not only) this attack vector.

The majority of Windows' users but don't work in such environments.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!