Trojan Transfers


Thought Leadership

Trojan Transfers

Fred Touchette

This morning we're seeing a malware campaign purporting to come from Barclays Bank that is making a somewhat half-hearted attempt at tricking recipients into believing money has just been transferred from their accounts. It would appear that those involved are targeting victims in the UK judging by the verbiage in the email that states GBP's or Great British Pounds being the currency involved. However, the amount, which is random in each of the emails, lacks proper formatting making it appear as just a random number and not necessarily how a monetary value would look. For example - "5884 GBP has been successfully transfered." or "9969 GBP has been successfully transfered." Normally one would expect a comma or a decimal from a financial institution, perhaps both, maybe even the proper spelling of the word "transferred".

The malware utilizes Armadillo as its packer of choice to scramble its contents in an attempt to avoid initial detection. After infection it enumerates all running processes of the target machine and goes through its routine to make sure it holds on to its victim.

So far we've seen about 230,000 pieces of mail attempting to deliver this payload, but luckily AppRiver has blocked all of these preemptively.