A little while ago, phishing mails claiming to be from NACHA were in circulation – it seems the phishers have had enough of that, deciding to send out malicious files instead.
The mail claims an attempted bank transfer has gone horribly wrong, and you should open up the file listed as .pdf.exe – whoops – to see what all the commotion is about.
Click to Enlarge
Hitting the link takes you through a couple of URLs – freenacha-s(dot)info and fasdfq(dot)co(dot)cc/forum(dot)php?tp=27f57d3dcb81f8c0, with a fake 404 error page which serves up a rogue anyway (a member of the FakeSysDef family).
Click to Enlarge
reportAB8839.exe will give you an unwanted vistor, in the shape of Trojan.Win32.FakeAv.awrp (v). VirusTotal report currently gives a total of 7/40 detections. At time of writing, both Freenacha and fasdfq URls actually do appear to be offline, but the download location for the executable (nacha-report-download(dot)com) is still alive and kicking. No doubt it’ll appear in a few more emails before the site goes offline for good.
Christopher Boyd (thanks to Bharath and Joseph).