MX Labs reports that they recently intercepted a lot of emails that warned internauts of certain banks that didn't accept payroll payments or transfers , this scam comes with malware attachement.
The Email Scam with following subject:
- ACH debit transfer was hold by Yolo Community Bank
- ACH payroll payment was not accepted by Central Trust and Savings Bank
- ACH Transfer was not accepted by Eldorado Bank
- ACH debit transfer was hold by The Mechanics Bank
- Funds transfer was hold by our bank
They spoofed the email address and send the following message:
Dear Madam / Sir,
I regret to inform you that ACH payroll payment initiated by you or on your behalf was not accepted by Central Trust and Savings Bank.
Transaction ID: 17036653478735
Current status of transaction: on hold
Please review transaction details as soon as possible.
Theodore Parham
Payments Administration
Central Trust and Savings Bank
"review transaction details" link leads to malicious page. The malicious site ask you to download the adobe flash player with pop up message. The file is 233kb and named as "Flash.exe". if you guessed, yes It is malware.
Kaspersky detect it as Trojan-Spy.Win32.Zbot.coak and McAfee detects it as Artemis!C5D161117328.
Several Windows registry changes will be exectued and the trojan can establish connection with the IP 64.252.17.231 on port 11760.
At the time of writing, only 12 of the 43 AV engines did detect the trojan at Virus Total.