Tuesday, 20 January 2015

Barclays - Important Update, read carefully! malware

Barclays - Important Update, read carefully! Barclays Online Bank {security-update@barclays.com} malware in the form of a html email, with an attached Zip.

Headers:
Date: Tue, 20 Jan 2015 15:01:55 +0000
From: "Barclays Online Bank"{security-update@barclays.com}
Subject: Barclays - Important Update, read carefully!

Message body:

Dear Customer,

Protecting the privacy of your online banking access and personal information are our primary concern.

During the last complains because of online fraud we were forced to upgrade our security measures.

We believe that Invention of security measures is the best way to beat online fraud.

Barclays Bank have employed some industrial leading models to start performing an extra security check with Your Online Banking Activities to ensure a safe and secure Online and Mobile Banking.

For security reasons we downloaded the Update Form to security Barclays webserver.

You are requested to follow the provided steps and Update Your Online Banking details, for the safety of Your Accounts.

- Please download and complete the form with the requested details:  http://natmystic.com/BARCLAYS-ONLINE_BANKING~IMPORTANT-UPDATE/update.html

- Fill in all required fields with your accurately details (otherwise will lead to service suspension)

Warning: If you choose to ignore our request, you leave us no choice but to temporary hold on your funds.

Thank you for your patience as we work together to protect your account.

Please update your records on or before 48 hours, a failure to update your records will result in a temporary hold on your funds.

Sincerely,

Barclays Online Bank Customer Service

We apologize for any inconvenience this may have caused.

(c) Copyright 2015 Barclays Bank Plc. All rights reserved.
The Website link here, is fake....
http://natmystic.com/BARCLAYS-ONLINE_BANKING~IMPORTANT-UPDATE/update.html

The auto-downloaded Zip file is: (Note: the downloaded filename is random)
update34412.zip

On the Windows machine, Inside the zip, is Windows executable (Note the dual extension)
update18972.exe

Md5 Hashes:
5071a5077ca1e62722ac9d54ff8126d7
Malware Information:
VirusTotal Report [1] (hits 2/56 Virus Scanners)

hybrid-analysis Report [1] [Very Detailed]

Malwr Report [1]

Summary:

Performs some HTTP requests
The binary likely contains encrypted or compressed data.
Steals private information from local Internet browsers
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Creates an Alternate Data Stream (ADS)
Installs itself for autorun at Windows startup
Cheers,
Steve
Sanesecurity.com

2 comments:

Anonymous said...

Just received this email myself. Thanks for the heads up.

Anonymous said...

Thank you for the article.

We received the same message yesterday as well. We are in Malaysia.

Keep up the good work.

Pete (Jan 21,2015)