Within the first five minutes, thirty three (33) phishing emails attempted to be delivered out of a sample infected host, all of them targeting NatWest or The National Westminster Bank Plc. Here are some samples, that of course never made it out to their recipient :
- Sender Address: "Natwest Bank Internet Banking Support"
- Sender Address: "Natwest Private and Corporate Support"
What is making an impression besides the malicious economies of scale achieved on behalf of the malware infected hosts used for sending, and as we've already seen, hosting and phishing pages and the malware itslef? It's the campaing's targeted nature in respect to the segmented emails database used for achieving a better response rate. The National Westminster Bank Plcis a U.K bank, and 10 out of 15 email recepient are of U.K citizens, the rest are targeting Italian users. Malware variants signal their presence to 18.104.22.168/forum.php and try to obtain campaigns to participate in, this is a sample detection rate for the latest fake news items one, and more details on the domains and nameservers used in the latest campaign :
Yet another internal nameservers ecosystem within the botnet :