Good Morning Malware

Just after 9am yesterday we began seeing messages reporting to be an “Outlook Setup Notification” the messages contained a fake alert attempting to convince you to click on the link provided. The link is to an .exe that is not disguised very well and contains a malicious payload. Yesterday we blocked more than one million of these messages. All of these used the same domain (liventsov.ru) to deliver the malware. Below is an example of the message:

(click image to enlarge)

Fast forward to this morning, just after 8am today we began seeing a very similar campaign. These messages are clearly a new version of the same campaign. Today’s variant claims to have some crucial information about YOUR credit card account. The message states the need to inform you of suspicious activity on your account. Once again there is a url at the bottom (that they would have you believe is a “Word-formatted copy of your transaction list”) that is actually a link to an malicious .exe. Same as the “Outlook Setup Notification” these messages titled “Information of Your Transaction” are also just using one domain (scananida.com.pl) to deliver the malware. We have netted nearly 1 million messages so far today putting on par with yesterday’s campaign, which is still being sent out. Below is an example of the message:

(click image to enlarge)