SHARE THIS

A new attempt to install malware, steal passwords, and access bank accounts using information stored on your personal computer has appeared since early last week. I normally get many notices of these new attempts, but I seldom have them sent to me. This one didn’t take long to arrive, which makes me believe that numerous bad guys are finding success in sending it out.

The subject line of your email will read, “A for guest WARDE SAID”.

The sender will be, “CTAC_DT_Hotel@Hilton.com”.

The message body will read, “Thank you for choosing our hotel and we very much hope that you enjoyed your stay with us. Enclosed is a copy of your receipt(FOLIODETE_2256835.pdf). Should you require any further assistance please do not hesitate to contact us directly.

We look forward to welcoming you back in the near future. This is an automatically generated message. Please do not reply to this email address. This transmission is not a digital or electronic signature and cannot be used to form, document, or authenticate a contract. Hilton and its affiliates accept no liability arising in connection with this transmission. Copyright 2015 Hilton Worldwide Proprietary and Confidential .”

——————————————

The zip attachment is another one from the current program bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers, but consumers are not immune from this latest attempt.

All of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details.

This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected.  

Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day.

The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them. Our friends and family  love to send us pictures of them doing silly things, or even cute pictures of the children or pets. Never just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first.

Most ( if not all) malicious files that are attached to emails will have a faked extension. That is the 3 letters at the end of the file name. Unfortunately windows by default hides the file extensions so you need to Set your folder options to “show known file types. Then when you unzip the zip file that is supposed to contain the pictures of “Sally’s dog catching a ball” or a report in word document format that work has supposedly sent you to finish working on at the weekend,  you can easily see if it is a picture or document & not a malicious program. If you see .EXE or .COM or .PIF or .SCR at the end of the file name DO NOT click on it or try to open it, it will infect you.

While the malicious program is inside the zip file, it cannot harm you or automatically run. When it is just sitting unzipped in your downloads folder it won’t infect you, provided you don’t click it to run it. Just delete the zip and any extracted file and everything will be OK. You can always run a scan with your antivirus to be sure. There are some zip files that can be configured by the bad guys to automatically run the malware file when you double click the zip to extract the file.

If you right click any suspicious zip file received, and select extract here or extract to folder ( after saving the zip to a folder on the computer) that risk is virtually eliminated. Never attempt to open a zip directly from your email, that is guaranteed way to get infected. The best way is to just delete the unexpected zip and not risk any infection.

The following reports were provided after scanning the attached .zip file:

Malware

29 June 2015

Attachment : FOLIODETE_4375959.zip containing FOLIODETE.exe

VirusTotal

AVG 		PSW.Agent.BMOO 
ESET-NOD32 	Win32/TrojanDownloader.Agent.BEL 
Kaspersky 	Trojan.Win32.Inject.vbau 
McAfee 		RDN/Generic Downloader.x!nt 
Microsoft 	TrojanDownloader:Win32/Ruckguv.A 
Sophos 		Troj/DwnLdr-MOX 
Symantec 	Backdoor.Trojan 
Tencent 	Trojan.Win32.YY.Gen.2 
TrendMicro 	TROJ_DLOADR.UKL

Malwr.com

Performs some HTTP requests
A process attempted to delay the analysis task by a long amount of time.
Tries to unhook Windows functions monitored by Cuckoo
Steals private information from local Internet browsers
Executed a process and injected code into it, probably while unpacking

Hybrid-Analysis.com Also:

downloads : enginedevelopments.ca/wp-content/uploads/2015/01/day87.exe

ruckguv memory strings :
  %s\csrss_%d.exe
  %s\Frifox_%d.exe
  %s\WindowsDriver_%d.exe

Downloaded executable : day87.exe ( Dyreza banking malware )

VirusTotal

ESET-NOD32 		Win32/Battdil.X 
Malwarebytes 	Spyware.Dyre 
Microsoft 		PWS:Win32/Dyzap 
TrendMicro 		TSPY_BANKER.IKL

Malwr.com|  Hybrid-Analysis.com Also: Campaign ID:

1806us77

These C2 sites in memory:

107.161.199.58:4443
109.87.63.98:443
176.103.203.166:443
176.120.201.9:443
176.123.16.30:443
176.197.100.182:443
178.219.10.23:443
178.54.231.147:443
181.189.152.131:443
184.164.97.242:443
188.255.241.22:4443
194.187.219.116:443
194.28.190.84:443
194.28.191.213:443
195.34.206.204:443
199.120.97.190:443
208.123.129.153:4443
208.123.129.218:4443
208.123.135.106:4443
212.37.81.96:4443
213.133.178.154:443
213.174.6.246:4443
31.134.73.151:4443
31.41.92.90:443
31.42.170.118:443
31.42.172.36:443
38.124.169.163:4443
46.151.51.75:443
46.175.23.130:443
67.206.96.30:443
67.207.228.144:443
67.219.166.113:443
69.118.144.195:4443
75.98.158.55:443
77.234.235.48:443
80.234.34.137:443
80.87.219.35:443
83.168.164.18:443
84.16.54.22:443
84.16.55.122:443
85.192.165.229:443
87.116.153.216:443
91.220.174.208:443
91.240.97.141:443
93.91.154.243:443

Dyreza config data for the intercept of bank logins was also found :

<serverlist>
<server>
<sal>srv_name</sal>
<saddr>144.76.85.198:443</saddr>
</server>
<server>
<sal>werserv</sal>
<saddr>95.211.206.202:443</saddr>
</server>
</serverlist>
<localitems>
<litem>
cashproonline.bankofamerica.com/AuthenticationFrameworkWeb/cpo/login/public/loginMain.faces*
cashproonline.bankofamerica.com/*
qulmkydziefsjcoynzfcoh12081.com
srv_name
</litem>
<litem>
businessaccess.citibank.citigroup.com/cbusol/signon.do*
businessaccess.citibank.citigroup.com/*
wsrsmgozdgwiaamfjelbnkqncgdc12181.com
srv_name
</litem>
<litem>
www.bankline.natwest.com/CWSLogon/logon.do*
www.bankline.natwest.com/*
pggmoabsmexdlbo12281.com
... and much much more!