The email reads like this (errors included):
The capture of the fake mail looks like this:copy_118255371.doc (564kb) <- (malicious link)
________________________________________
Segue em anexo o comprovante de depósito em conta corrente do ressarcimento do contrato n° 118255371.
Pedimos que confira seus dados e extrato e verifique se todas as informações e valores estão corretos.
________________________________________
Attentively,
Financeiro Department
Banco Votorantim S/A
www.bvfinanceira.com.br
Av. Brigadeiro Faria Lima, 1948 - São Paulo - SP
(11) 3345-9988 /3345-7766
The malicious link in the email http://[DELETED]rpa.gob.mx/financeiro.html?id=http://www.bvfinanciera.com.br/anexo/sistema/34975983258953893245
leads to a Mexican government site that has been compromised by criminals.
Here appears the page of the Mexican government site that pretends to be the download of the proof of deposit mentioned in the mail.
The download link http://www1.a[REMOVED].gov.co/financeirobv.exe refers to a Colombian government site hosting the Trojan in question. The file financeirobv.exe is a Trojan that at the time of writing this note only detect 2 antivirus engines on the Virustotal site.
Mail Source
Usually this type of mail usually comes from infected computers, zombies part of a botnet. But in this case we do not find the particularity that comes from the mail server of a Brazilian educational organization. This could be explained by an abuse of the mail service, which in a way is already proven to see that the sender does not correspond to the domain of the institution in question. Properly configured server, you should not allow this.
As usual from Segu-Info we have notified the Mexican and Colombian government sites about the abuse of their sites as well as the person responsible for the abused Brazilian mail server.
Raúl de la Redacción de Segu-Info
