Analysis by: Chloe Ordonia

Cybercriminals are now using a new technique to lure potential victims - they are now attaching spam emails inside spam emails while taking advantage of names of known banks, such as Lloyds Bank, National Westminster Bank (NatWest), and Wells Fargo. Wells Fargo has been used in a Blackhole Exploit kit (BHEK) spam run in the past.

The new samples acquired appear to be notifications from the said banks, all containing an attachment named SecureMessage.msg. Clicking the attached message file opens another email, but this time containing a .ZIP attachment. The email message instructs the recipient to download the attachment in order to read the 'secured' message. A .ZIP attachment named SecureMessage.exe can be found in the email.

 SPAM BLOCKING DATE / TIME: April 01, 2014 GMT-8
 TMASE INFO
  • ENGINE:7.5
  • PATTERN:0604