Barclays transaction notification #nnn - Virus

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Email:

Fake Barclays transaction notification email claims a transaction was completed and money has been successfully transfered.

Attached zip file contains an exe virus or trojan horse.

Spoofs barclays.com in From headers and look-alike subdomain spoofing for WellsFargo.com.something.


Subject:  Barclays transaction notification #223336

[Barclays logo]

Transaction details
Transaction is completed. £6181 has been successfully transfered.
If the transaction was made by mistake please contact our customer service.
Receipt on payment is attached.

Barclays is a trading name of Barclays Bank PLC and its subsidiaries. Barclays Bank PLC
is authorised by the Prudential Regulation Authority and regulated by the Financial
Conduct Authority and the Prudential Regulation Authority (Financial Services Register
No. 122702). Registered in England. Registered Number is 1026167 with registered
office at 1 Churchill Place, London E14 5HP.

payment receipt 25-11.zip (335)

Picture of fake Barclas email with virus attachment from 25 november 2013.

Subject: Barclays transaction notification #9752-915

Transaction is completed. £4188 has been successfully transfered.
If the transaction was made by mistake please contact our customer service.
Receipt on payment is attached.

Barclays is a trading name of Barclays Bank PLC and its subsidiaries....

Payment receipt Barclays PA77392733.zip (321)

Subject: Barclays transaction notification #8425-455

Transaction is completed. 6414 GBP has been successfully transfered.
If the transaction was made by mistake please contact our customer service.

Receipt of payment is attached.
Barclays Bank PLC is {MIX: by the Prudential Regulaiton Authority and {MIX:regulated by the Finacnial
Conduct Authority and the Prudential Regulation Authority except for lending where we are liecnsed
by The Office of Fair Trading. Authoirsation can be checked blah blah blah...

Receipt N288110009042014.zip (97)

Header Examples:

Spoofs barclays.com in From headers. Uses look-alike subdomain spoofing for Envelope, mostly for WellsFargo.com.something...

cbl.abuseat.org classifies these as cutwail spambots.

Received: from 114-44-83-59.dynamic.hinet.net [114.44.83.59]
X-Envelope-From: bekesyvfe850 @WellsFargo.com.postfix.livenirvana.com
From: "Barclays Bank PLC" <reports @barclays.com>
Subject: Barclays transaction notification #181912

Received: from [219.92.56.97]
X-Envelope-From: maj7 @WellsFargo.com.postfix.purifiercn.ru
From: "Barclays Bank PLC" <manager @barclays.com>
Subject: Barclays transaction notification #155907

Received: from co.za [105.229.6.81]
X-Envelope-From: unadvised0 @WellsFargo.com.postfix.gil.com.au
From: "Barclays Bank PLC" <auto-notify @barclays.com>
Subject: Barclays transaction notification #223336

Received: from localhost [113.173.203.126]
X-Envelope-From: enameledrja740 @WellsFargo.com.postfix.unb.ca
From: "Barclays Bank PLC" <auto-notify @barclays.com>
Subject: Barclays transaction notification #065055

Received: from [212.0.146.76]
X-Envelope-From: banknotey5134 @WellsFargo.com.postfix.statesville.net
From: criscosh59 @WellsFargo.com.postfix.surewest.com
Subject: Barclays transaction notification #435589

Attachment / Link Samples:

25 November 2013

payment receipt 25-11.zip containing Payment receipt.exe | VirusTotal report | Malwr.com report

22 January 2014

Payment receipt 66165.zip containing Payment receipt 66165.exe | VirusTotal report | File-Analyzer.net report 

18 February 2014

Payment receipt Barclays PA77392733.zip containing Payment receipt Barclays PA77392733.exe

VirusTotal report 

Avast 	Win32:Malware-gen 	
K7AntiVirus Trojan ( 0001140e1 )
Symantec Trojan.Zbot

Malwr.com report 

Starts servers listening on 0.0.0.0:8417, 0.0.0.0:1863, 0.0.0.0:0
Performs some HTTP requests
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Operates on local firewall's policies and settings
Installs itself for autorun at Windows startup
Generates some ICMP traffic

File-Analyzer.net report 

Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Creates or modifies windows services
Modifies existing windows services
Opens a port and listens for incoming connection (possibly a backdoor)
Drops: C:\Documents and Settings\Administrator\Application Data\Raiqa\ilqeu.exe
Binary may include packed or encrypted data
Contains functionality to inject threads in other processes

Contacts:
212.179.213.249 Israel
184.56.203.9 United States
119.197.126.215 Korea Republic of
69.77.185.100 Canada
24.124.110.76 United States
89.216.177.236 Serbia
184.3.61.57 United States
68.197.193.98 United States
120.151.223.234 Australia
85.100.41.9 Turkey
91.236.245.22 Belgium
12.166.193.10 United States
99.37.80.46 United States
27.54.110.77 Japan
184.32.13.208 United States
76.64.157.9 Canada

Samples provided to Clam AV and Microsoft Security when this article was created.

 If this was at least a little helpful, how about a +1, Like, or Tweet?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity