ACH Wire Transfer Notification Downloads Malware

 Analysis by: Mark Aquino

Trend Micro received spammed messages purported to be from the Online Security Department of the Federal Deposit Insurance Corporation. The message tells the reader that their wire and ACH transactions have been suspended, and goes on to instruct the reader to open the attached file for further information.

The message itself is HTML-coded with malicious iframes that contain JavaScript, which is detected as JS_GAREMON.A. When the message is opened using an email client, the message automatically opens and executes the malicious iframes, which points to a malicious URL. Malicious files are then downloaded on the affected system where the message is opened. Note that the user does not have to open the attachment in order for files to be downloaded. Just reading the message is enough to trigger the download of malicious files.

Trend Micro recommends to users to delete messages of such nature immediately upon receipt.

 SPAM BLOCKING DATE / TIME: February 03, 2012 GMT-8
  • PATTERN:8686

Related Malware