Page 1 of 1

"International Institute of Rural Reclamation"

Posted: Mon Jul 18, 2016 4:11 am
by Unidyne
Okay, got two e-mails (supposedly) from this group, with identical messages but different names and message titles. Both say the following:

To whom it may concern,

Please check the attached swift copy of payment and kindly confirm receipt of payment with your bank.

Regards,


(No, I didn't open the attachment!)

One is entitled "Confirmation Slip" sent from a "Firew Kefyalew", but signed "Mr Firew Mekonnen, U.S. Office
Accounting Department, International Institute of Rural Reconstruction". The differences in the names got my attention.

The second was entitled "Payment Slip" and sent and signed by "Mr Getachew Tamiru".

The web address listed in the e-mails (iirr.org) is for a group that provides educational and farming assistance to impoverished regions, and both messages had US mailing addresses and telephone numbers. Anyone know anything about this?

ADDENDUM: I ran "Please check the attached swift copy of payment and kindly confirm receipt of payment with your bank." in a web-search and found a number of warnings from CISCO about the attachment being a Trojan Horse for malicious software.

https://tools.cisco.com/security/center ... rtId=40056

Re: "International Institute of Rural Reclamation"

Posted: Wed Jul 27, 2016 6:55 pm
by KickahaOta
One of my servers has been getting bombarded with these messages, with a randomly-chosen selection of From: addresses and message bodies. Doesn't appear to be any kind of actual 419 effort, just an attempt to get a keylogger or ransomware on the box if the recipient opens the attachment.

Re: "International Institute of Rural Reclamation"

Posted: Wed Jul 27, 2016 7:29 pm
by NYGman
If I downloaded it and opened it on my Raspberry Pi, would that allow me to checkout the payload, without infecting my network, or would I need to sandbox it first?

Re: "International Institute of Rural Reclamation"

Posted: Thu Jul 28, 2016 6:47 pm
by KickahaOta
I'd be reluctant to give any advice other than "Nuke the site from orbit", because I've seen multiple payload types used in this same attack wave. Some are macro-enabled Office documents; some are Windows scripting files; some are other ZIPped-up nonsense.