Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Because every financial institution and their mom is going to "secure document delivery" quasi-email services, employees are being trained to click on links and run crazy attachments from companies they've never heard of.

This trend basically takes everything you ever taught your people about phishing awareness, and it wipes it's ass with it. Right in front of you. Right in front of the employees too.

An .htm attachment that uses javascript to launch java which opens another web page containing the email? Why not? Links shortened with the ccTLD of Uganda? Sounds legit!

Thanks to this trend, you have this blight of secure message malware spam. Oh, and never-mind that your employees are probably re-using passwords like a mother because they now have a log-in for every "email".

Here are some of the high-mileage runs:

They come in Key Bank, CitiBank, and HSBC, Wells Fargo, HSBC, and many other flavors.

The Malware can be in an exe-in-zip, double-extension exe, html file, malicious PDF, or behind a web link. Or combinations.

Spoofing can be as good or lazy as you can imagine, often with bank A emails spoofing bank B and C in various header positions.


National Australia Bank

Picture of fake National Australia Bank secure message email.

CitiBank, html attachment, version 1.

Picture of fake CitiBank secure message email with malicious html document attached.

Picture of CitiBank, exe-in-zip attachment, type 2.

Picture of citibank version of fake secure message malware email, exe in zip variant.

Key Bank IronPort-style, version 3

Fake Key Bank Secure Message Ironport email with virus!

HSBC version, exe in zip, version 1

Picture of fake HSBC secure message email with malicious exe in zip file attached.

Natwest version 1.

Picture of fake Natwest secure message with malware.

NatWest version 2.

Picture of version 2 of the fake NatWest secure message email.

Bank Of America Merrill Lynch ACH CashPro version 1. (Version 2 has securedoc.pdf)

Picture of malware secure message email in the Bank of America Merrill Lynch flavor.


Subject: You have received a secure message (  National Australia Bank )

 You have received a secure message

Read your secure message by opening the attachment, SecureMessage.zip. You will be prompted to open
(view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions
please contact the National Australia Bank Secure Email Help Desk at (866) 588-4098.

First time users - will need to register after opening the attachment.
About Email Encryption - http://www.nab.com.au/wps/wcm/connect/nab/nab/home/about_us/10/1

SecureMessage.zip (26)

 

Subject: You have received a secure message ( KeyBank, plain, non-Ironport-style )

Read your secure message by opening the attachment, SECUREDOC. You will be prompted to open 
(view) the file or save (download) it to your computer. For best results, save the file first,
then open it.

If you have concerns about the validity of this message, please contact the sender directly.
For questions about Key's e-mail encryption service, please contact technical support at
888.764.7941.

First time users - will need to register after opening the attachment.
Help - https:// mailsafe.keybank.com/websafe/help?topic=RegEnvelope
About IronPort Encryption - https:// mailsafe.keybank.com/websafe/about
  securedoc.zip (152)

 

Subject: You have received a secure message ( citibank exe in zip version )

You have received a secure message

Read your secure message by opening the attachment, securedoc. You will be prompted to open (view) the
file or save (download) it to your computer. For best results, save the file first, then open it
with Internet Explorer.

If you have concerns about the validity of this message, please contact the sender directly.
For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.

First time users - will need to register after opening the attachment.
About Email Encryption - http://www.citi.com/citi/citizen/privacy/email.htm

securedoc.zip (9)

 

Subject: Citibank Secure Email Notification ( citibank html version )

You have received a secure message

Read your secure message by opening the attachment, securedoc.html. You will be prompted to open
(view) the file or save (download) it to your computer. For best results, save the file first,
then open it with Internet Explorer.

If you have concerns about the validity of this message, please contact the sender directly. For
questions please contact the Citi Secure Email Help Desk at (866) 535-2504.

First time users - will need to register after opening the attachment.
About Email Encryption - http:// www.citi.com/citi/citizen/privacy/email.htm

Subject: You have received a secure message  ( Keybank IronPort style )

KeyBank Logo   SecureMessage
Iron Port Logo
Encryption

You have received a secure message

Read your secure message by opening the attachment, Secure_Message.zip. You will be
prompted to open (view) the file or save (download) it to your computer. For best
results, save the file first, then open it in a Web browser. To access from a mobile
device, forward this message to mobile @res.cisco.com to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender
directly. For questions about Key's e-mail encryption service, please contact technical
support at 888.764.7941.
First time users - will need to register after opening the attachment.

Help - https:// mailsafe.keybank.com/websafe/help?topic=RegEnvelope
About IronPort Encryption - https:// mailsafe.keybank.com/websafe/about

Sincerely,
Bruno_Hendrickson
KeyCorp Level III Support

Powered by IronPort

Subject: You have received a secure message ( HSBC version. )

 Read your secure message by opening the attachment, message_zdm. You will be prompted to open (view) 
the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.

If you have concerns about the validity of this message, please contact the sender directly. For questions
please contact the HSBC Secure Mail Help Desk.

Subject: You have received a secure message  ( NatWest version. )

You have received a secure message

Read your secure message by opening the attachment, SecureMessage.zip. You will be prompted
to open (view) the file or save (download) it to your computer. For best results, save the
file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly.
For questions please contact the National Australia Bank Secure Email Help Desk at
(866) 118-2702.

First time users - will need to register after opening the attachment.
About Email Encryption - http://www.natwest.com/wps/wcm/connect/natwest/home/about_us/10/1

SecureMessage.zip (12)

Subject: Bank of America Merrill Lynch: Completion of request for ACH CashPro

You have received a secure message from Bank of America Merrill Lynch

Read your secure message by opening the attachment, securedoc.html. You will be prompted to open (view)
 the file or save (download) it to your computer. For best results, save the file first, then open it
in a Web browser.
If you have concerns about the validity of this message, contact the sender directly.
First time users - will need to register after opening the attachment.
Help - https:// securemail.bankofamerica.com/ websafe/ml/help?topic=RegEnvelope

   securedoc.zip (16)

Subject: Bank of America Merrill Lynch: Completion of request for ACH CashPro

You have received a secure message from Bank of America Merrill Lynch
Read your secure message by opening the attachment, securedoc.pdf. You will be prompted
to open (view) the file or save (download) it to your computer. For best results, save
the file first, then open it in a Web browser.
If you have concerns about the validity of this message, contact the sender directly.
First time users - will need to register after opening the attachment.

securedoc.pdf

Subject: You have a new Secure Message ( Wells Fargo version )

You have received a secure message

Read your secure message by download Document_087341-436175.zip. You will be prompted to open (view) the
file or save (download) it to your computer. For best results, save the file first, then open it.

In order to view the secure message please download it using our Cloud Hosting:

https:// www.cubby.com/pl/Document_087341-436175.zip/_0e1f0f95214a458c8f534b9503f216bd

About Email Encryption please check our website at https://wellsfargo.com

  

Headers samples:

This series of emails has gone through many iterations, spoofing various banks. Much mixed-spoofing of From and Envelope headers.

15 September 2015 -  National Australia Bank

Spoofs nab.com.au in From headers and random junk in the Envelope headers (MAIL FROM connection string).

Received: from host-98-127-116-97.gdj-co.client.bresnan.net [98.127.116.97]
X-Envelope-From: insertionsdse3 @acm.org
From: "National Australia Bank" <Secure.Message@nab.com.au>
Subject: You have received a secure message

Received: from [111.118.158.170]
X-Envelope-From: lumpdg971 @statesville.net
From: "National Australia Bank" <Secure.Message@nab.com.au>
Subject: You have received a secure message

Received: from ritt-187-34.ranksitt.net [202.40.187.34]
X-Envelope-From: considersdi10 @ponyexpress.net
From: "National Australia Bank" <Secure.Message@nab.com.au>
Subject: You have received a secure message

Received: from bb121-7-147-243.singnet.com.sg [121.7.147.243]
X-Envelope-From: conqueror50 @daxis.nl
From: "National Australia Bank" <Secure.Message@nab.com.au>
Subject: You have received a secure message

 

Citibank version

Received: from host-41.33.182.226.tedata.net [41.33.182.226]
X-Envelope-From: hungm0 @purifiercn.ru
From: "secure.email @citi.com" <secure.email @citi.com>

Received: from bell.ca [70.51.121.206]
X-Envelope-From: reubenmau18 @heinemann.com
From: "secure.email @citi.com" <secure.email @citi.com>

Received: from rrcs-67-53-74-130.sw.biz.rr.com [67.53.74.130]
X-Envelope-From: cantataslxk82 @casesmaker.ru
From: "secure.email @citi.com" <secure.email @citi.com>

  

KeyBank version

Received: from Wireless_Broadband_Router - static-72-68-73-58.nwrknj.fios.verizon.net [72.68.73.58]
X-Envelope-From: support @nacha.org
From: "Key Bank" <Ruth_Reaves @KeyBank.com>
Subject: You have received a secure message

  

Natwest version

Received: from abs-static-210.170.102.118.aircel.co.in [118.102.170.210]
   X-Envelope-From: fraud @aexp.com
   From: "Natwest" <Secure.Message @natwest.com>
   Subject: You have received a secure message

Received: from bba186382.alshamil.net.ae [217.165.70.200] X-Envelope-From: fraud @aexp.com From: "Natwest" <Secure.Message @natwest.com> Subject: You have received a secure message

  

Bank of America Merrill Lynch version

Spoofs baml.com in From headers but aexp.com in Envelope. Like a cutwail spambot.

Received: from wsip-184-177-3-173.no.no.cox.net [184.177.3.173]
X-Envelope-From: fraud @aexp.com
From: "Elliot White" <Elliot.White @baml.com>
Subject: Bank of America Merrill Lynch: Completion of request for ACH CashPro

Received: from host194.186-153-10.telecom.net.ar [186.153.10.194]
X-Envelope-From: fraud @aexp.com
From: "Aaron Lee" <Aaron.Lee @baml.com>
Subject: Bank of America Merrill Lynch: Completion of request for ACH CashPro

 

   

Malware examples:

15 September 2015

Attachment : SecureMessage.zip containing SecureMessage.scr ( Upatre downloader )

VirusTotal report | Malwr.com report | hybrid-analysis.com report 

Just about every IP address you see in this incident are hacked AirOS devices (like AirRouters) or Mikrotik routers.

Also:

gets public-facing IP address: 
http://icanhazip.com/
checks in with something like a campaing ID:
http://197.149.90.166:12186/15AST77/
Downloads encrypted binaries in the form of fake .mp3 files:
https://109.199.11.51/dance157.mp3
https://112.133.203.43/dance157.mp3
https://142.47.213.123/dance157.mp3
https://150.129.49.11/dance157.mp3
https://173.216.247.74/dance157.mp3
https://173.248.31.6/dance157.mp3
https://176.101.135.103/dance157.mp3
https://180.233.123.210/dance157.mp3
https://186.68.94.38/dance157.mp3
https://194.28.191.245/dance157.mp3
https://197.210.199.21/dance157.mp3
https://199.192.214.102/dance157.mp3
https://203.115.103.27/dance157.mp3
https://203.129.197.50/dance157.mp3
https://208.117.68.78/dance157.mp3
https://209.27.49.117/dance157.mp3
https://213.92.138.154/dance157.mp3
https://216.254.231.11/dance157.mp3
https://24.148.217.188/dance157.mp3
https://24.33.131.116/dance157.mp3
https://27.109.20.53/dance157.mp3
https://37.57.144.177/dance157.mp3
https://45.64.159.18/dance157.mp3
https://46.149.248.235/dance157.mp3
https://63.248.156.246/dance157.mp3
https://65.33.236.173/dance157.mp3
https://67.207.229.215/dance157.mp3
https://67.221.147.66/dance157.mp3
https://67.221.195.6/dance157.mp3
https://67.222.201.222/dance157.mp3
https://67.222.201.61/dance157.mp3
https://68.70.242.203/dance157.mp3
https://69.144.171.44/dance157.mp3
https://69.9.204.114/dance157.mp3
https://72.175.10.116/dance157.mp3
https://72.230.82.80/dance157.mp3
https://77.48.30.156/dance157.mp3
https://78.108.101.67/dance157.mp3
https://78.72.233.105/dance157.mp3
https://82.115.76.211/dance157.mp3
https://82.160.64.45/dance157.mp3
https://85.135.104.170/dance157.mp3
https://87.249.142.189/dance157.mp3
https://89.239.120.43/dance157.mp3
https://91.189.140.7/dance157.mp3
https://91.202.193.210/dance157.mp3
https://91.246.105.164/dance157.mp3
https://94.141.130.9/dance157.mp3
https://94.40.82.66/dance157.mp3
drops executable after decrypting ONE of the fake .mp3 files

Downloaded, decrypted, and dropped executable ( Dyreza banking malware )

VirusTotal report | Malwr.com report | hybrid-analysis.com report 

Also:

Campaing ID :

1509au77

These c2 sites were found :

103.230.220.8:443
103.28.157.202:443
103.28.157.210:443
109.86.226.85:443
109.87.63.98:443
114.30.73.130:443
115.119.250.245:443
150.129.48.147:443
150.129.49.139:443
150.129.49.162:443
154.73.76.24:443
173.185.166.94:4443
173.248.18.187:4443
173.252.48.79:443
173.252.50.124:4443
176.120.201.9:443
181.112.153.202:443
181.174.91.90:443
184.190.64.35:4443
186.46.142.66:443
188.120.194.101:4443
188.125.38.100:443
188.255.154.180:4443
195.154.106.76:443
195.191.34.245:443
206.116.171.216:443
206.123.58.42:4443
206.123.60.93:4443
208.123.135.106:4443
212.109.179.197:443
213.92.204.37:443
216.57.165.182:443
46.198.143.60:443
50.21.230.226:4443
66.38.33.225:4443
67.221.146.107:4443
67.221.146.67:4443
67.221.147.103:4443
67.221.156.105:4443
67.221.156.216:4443
69.27.128.203:443
69.27.57.164:4443
82.100.4.60:443
82.103.71.149:443
83.241.176.230:4443
84.54.191.170:443
89.140.63.207:443
89.161.51.115:4443
91.187.75.75:4443
91.238.241.26:443
92.62.254.225:443
96.45.9.66:4443

  

20 August 2014

Attachment : a real-life malicious .pdf file!

VirusTotal report 

Avast 			Other:Malware-gen [Trj]
CAT-QuickHeal Exploit/Pdfjsc.AMJ
DrWeb SCRIPT.Virus
ESET-NOD32 PDF/Exploit.CVE-2013-2729.G
Kaspersky HEUR:Exploit.PDF.Generic
McAfee RDN/Generic Exploit!1m3
Qihoo-360 Trojan.Generic
Rising NORMAL:Hack.Exploit.MalPDF.a!1609222
Symantec Trojan.Pidief

MalwareTracker.com report 

1.0 @ 15: block size over 10MB
1.0 @ 15: suspicious.warning: object contains JavaScript
1.0 @ 15: pdf.exploit BMP RLE integer heap overflow CVE-2013-2729
1.0 @ 15: suspicious.obfuscation using substring
1.0 @ 15: suspicious.obfuscation using String.fromCharCode
1.0 @ 15: suspicious.obfuscation using String.replace
1.0 @ 15: suspicious.javascript in XFA block

Using PDFStreamDumper, this 14k pdf takes about 90 megs in memory.

Relevant stream data in this pastebin.

  

10 June 2014

Download link : Document_087341-436175.zip containing Document_087341-436175.scr ( Cryptowall ransomware )

Download link points to places like :

www.cubby.com/pl/Document_087341-436175.zip/_0e1f0f95214a458c8f534b9503f216bd

leading to  Document_087341-436175.zip containing Document_087341-436175.scr

VirusTotal report | Malwr.com report | Anubis report

  

16 May 2014

Attachment : SecureMessage.pdf containing a link to download malware.

Picture of an attached pdf containing a malware link from not bank of america.

The "encrypted file / ok" area contains a link to a dropbox download which provides a download of BankofAmerica.scr

VirusTotal report | Malwr.com report | Anubis report 

   

8 May 2014

Attachment : securedoc.zip containing securedoc.scr (Citi bank version)

VirusTotal report | Malwr.com report  | Anubis report 

  

17 March 2014

Attachment : securedoc.zip containing securedoc.exe (Bank of America Merrill Lynch version)

VirusTotal report | Malwr.com report | File-Analyzer.net report 

  

6 February 2014

Attachment : SecureMessage.zip containing SecureMessage.scr

VirusTotal report | Malwr.com report

  

8 November 2013

Attachment : Secure_Message.zip containing Secure_Message.exe

VirusTotal report | Malwr report

  

June-July-ish 2013

message_zdm.zip which contained message_zdm.exe | VirusTotal report

securedoc.html.zip containing securedoc.html.exe | VirusTotal report

 

If this was at least a little helpful, how about a +1 or a Like?