A spam campaign posing as convincing bank transfer statements is tricking users into installing malware on their devices, malware that's capable of several damaging functions.

According to cloud security firm CYREN, whose researchers discovered the spam campaign active this past week, the emails arrive with subject lines such as: "Online wire transfer payment notification," "Payment update," and "Swift copy."

These spam emails inform users they received an international bank transfer, which they can review by opening the attached file, named "Swift copy," with Swift referring to the SWIFT technology used in international bank transfers.

Emails disguised as SWIFT bank transfer statements

Researchers say that the emails come disguised as transfer statements from banks such as Emirates NDB (UAE and other countries) and DBS (Singapore and other countries).

Spam email
Spam email posing as a fake bank transfer (via CYREN)

The file attachments contained in the email, all use the "double extension" trick, perpetrating to be a PDF file, but actually being an EXE file, as (Swift_Copy.pdf.exe).

Executing the email's payload drops a file named "filename.vbs", a Visual Basic script in the victim's Startup folder and "filename.exe" at:

%AppData%\Local\Temp\subfolder

Every time the user logs into his PC, the Visual Basic script will execute the filename.exe file.

In turn, the EXE file will install a keylogger on the user's computer, and log both keypresses and mouse movements.

Malware steals browser, FTP, and email credentials

Additionally, it will search the user's Windows registry and data storage units for information to steal.

CYREN researchers say the malware can collect the databases of browsers, FTP, and email clients. These databases contain information such as saved passwords, usernames, history, cookies, cache, and more.

Furthermore, the malware also searches and steals databases from the following Bitcoin (and other cryptocurrency) wallet apps:

  • Anoncoin
  • BBQcoin
  • Bitcoin
  • Bytecoin
  • Craftcoin
  • Devcoin
  • Digitalcoin
  • Fastcoin
  • Feathercoin
  • Florincoin
  • Freicoin
  • I0coin
  • Infinitecoin
  • Ixcoin
  • Junkcoin
  • Litecoin
  • Luckycoin
  • Megacoin
  • Mincoin
  • Namecoin
  • Phoenixcoin
  • Primecoin
  • Quarkcoin
  • Tagcoin
  • Terracoin
  • Worldcoin
  • Yacoin
  • Zetacoin

Bleeping Computer has reached out to CYREN researchers for the malware's SHA256 hash, in case other researchers want to analyze the malware as well.