FYI...
Fake 'Payment Advice' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-...anking-trojan/
5 Oct 2017 - "An email with the subject of 'Important – Payment Advice' pretending to come from HSBC but actually coming from a look-a-like domain HSBC <no-reply@ hsbcpaymentadvice .com> or HSBC <no-reply@ hsbcadvice .com> with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan... there is a slight formatting problem in Outlook, where the emails arrive with a -blank- body. Reading in plain text or using view source, shows the content...
Screenshot: https://myonlinesecurity.co.uk/wp-co...vice_-HSBC.png
SecureMessage.doc - Current Virus total detections 10/59*. Payload Security**
This malware file downloads from
http ://diga-consult .de/ser1004.png which of course is -not- an image file but a renamed .exe file that gets renamed to aqdccc.exE (VirusTotal 13/65***). An alternative download location is
http ://hill-familie .de/ser1004.png
This email -attachment- contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-co...c_4_Oct_17.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1507166812/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
87.106.222.158
64.182.208.181
194.87.92.191
*** https://www.virustotal.com/en/file/a...is/1507170157/
ser1004.png
diga-consult .de: 87.106.222.158: https://www.virustotal.com/en/ip-add...8/information/
> https://www.virustotal.com/en/url/59...8c0e/analysis/
hill-familie .de: 148.251.5.116: https://www.virustotal.com/en/ip-add...6/information/
> https://www.virustotal.com/en/url/cf...7ff4/analysis/