Barracuda Engineer and Research Scientist Luis Chapetti (@cudasecurity) is warning us of a new phishing attack that he discovered on Friday afternoon. The email impersonates an official secure message from Bank of America Merrill Lynch.
The email includes a pdf attachment that contains a malware link. The link takes the user to an address similar to this:
This initiates a download of the "SecureMessage.zip" file, which contains Spyware/Win32.Zbot. This trojan takes the following actions on the user computer:
- Starts servers listening on 0.0.0.0:6710 and 0.0.0.0:6506
- Performs an HTTP GET of malkanat.com/images/Targ-1605USdp.tar
- Collects MachineGuid, DigitalProductID, and SystemBiosDate
- Steals private information such as login data, that is transmitted through browsers
- Installs itself for autorun at Windows startup
This message shares is similar to other "secure message" emails that we have seen in the past year, in that it shares these characteristics:
- The "secure message" attachment is an executable or a zip file
- The user is directed to open the attachment with a web browser
- It directs the user to a Dropbox link which contains the malware
This phishing attack has been used against customers of other banks as well. Citibank, Key Bank, HSBC, and NatWest have all been impersonated for this type of attack.