The original email is nothing special and has a blank body and a PDF attachment. The PDF has a link to https://kamzink.com/redirect-new-alert-logon/redirect.htm which redirects you to ( or should redirect you to ) https://rattanhospital.co.in/new-usbank-security-update/usbank.com.online.logon/home However this site only works in Firefox using Noscript when I block scripts from omtrdc.net. ( which looks like an Adobe Marketing cloud analytics script) Allowing scripts from that site display a blank page for me in all browsers. I assume the phishers made a mistake and that script will only work on the genuine website so is unable to display the page. This shows the error in just copy & pasting an entire website homepage & just changing a few links on it. Anyway, anything the phishers do wrong is a step in the right direction to protect users.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
The original email looks like this It will NEVER be a genuine email from your bank any other company so don’t ever click the link in the email. If you do it will lead you to a website that looks at first glance like the genuine usbank website but you can clearly see in the address bar, that it is fake. Some versions of this and similar phishes will ask you fill in the html ( webpage) form that comes attached to the email.
From: US BANK <unitedbankpayment.alert@communication.com>>
Date: Wed 28/12/2016 08:15
Subject: E-Payment Alert Notification From Another US Bank Customer
Attachment: US_Bank_Payment_2_.pdf
Body content: Blank / Empty
Following the link sends you to a site looking identical to the genuine usbank.com website ( with the above provisos)
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.
Following on from these [ FEDEX ] [ USPS ] posts describing the Spoofed FedEx and USPS ( and other delivery services from time to time) I will endeavour to keep up to date with a list of current sites involved in the spreading of this malware. I will also show the command used that day to obtain the malware. I will add each days new sites to the lists, but please remember that old sites are reused daily until taken down by their hosts. All the sites used in this malware spreading campaign are hacked / compromised sites.
The script tries the first in the list & then moves down until it gets a reply from the server. You never see the first downloaded file ( counter.js by searching on your computer, that is run directly from temp internet files ) Counter.js then downloads a different variant of counter.js which in turn downloads 01 first, then 02, then 03 until you get to 05. If any site doesn’t have the file, then it moves to the next site in the list for that particular file. Each site on the list has a full set of the files. but it is rare for the site delivering counter.js to actually download from itself, normally that downloads from a different site on the list. All the files ( apart from the original counter.js) pretend to be png ( image files). They are actually all renamed .exe files or a renamed php script listing the files to be encrypted. Counter.js contains the list of sites to download from, which includes many of the sites listed in the original WSF, JS, VBS or other scripting file and normally one or 2 extra ones. to get the second counter.js you need to change the &r=01 at the end of the url to &m=01 ( or 02-05). This second counter.js contains additional sites to download from which frequently includes sites from the previous days lists that are not already included in the WSF or first counter.js.
I only accidentally found out about the second /3rd /4th /5th counter.js when I made a mistake in manually decoding the original wsf file ( and the original counter.js) and mistyped/ miscopied the &r= and used &m= instead. Obviously it is a belt and braces approach to making sure the actual malware gets downloaded to a victim’s computer when urls or sites are known about and blocked by an antivirus or web filter service.