Fake email “You have received new messages from HMRC” contains Upatre trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “You have received new messages from HMRC”.

This email is send from the spoofed address “no-replay <no-replay@csis.dik> ” and has the following body:

Please be advised that one or more Tax Notices (P6, P6B) have been issued.

For the latest information on your Tax Notices (P6, P6B) please open attached report.

Please do not reply to this e-mail.

The attached file report737009.zip contains the 50 kB large file report.exe.

The trojan is known as Trojan.Upatre.125, Trojan-Downloader.Win32.Upatre.ezk, BehavesLike.Win32.Autorun.pz, Troj/Dyreza-BK or TROJ_UPATRE.LWE.

At the time of writing, 13 of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: d99c847c4432e5cd55123ef4ab9626302d3e061a59fbac03a46d6e514047bfd1

Fake email from R. Kern Engineering “inv.# 57949″ contains malicious Word document


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “inv.# 57949” (numbers will vary).

This email is send from the spoofed address “eileenmeade@kerneng.com” and has the following body:

Here is your invoice & Credit Card Receipt.

Eileen Meade
R. Kern Engineering & Mfg Corp.
Accounting
909) 664-2442
Fax 909) 664-2116

The attached file SKMBT_C552D150123_16106.doc is a Word file with embedded macro that wll download the executable bin.exe from the following locations:

hxxp://UKR-TECHTRAININGDOMAIN.COM/js/bin.exe
hxxp://schreinerei-ismer.homepage.t-online.de/js/bin.exe

The trojan is known as W32/Injector.BTAV!tr, Kryptik.CEWB or Mal/Wonton-AN.

At the time of writing, 3 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 23bbf7b1407bb9e657160f0545facc1d2634d5ba55d67bfaef3685194aa66ec1

Email Berendsen UK Ltd Invoice 60020918 117 contains malicious Word attachment


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Berendsen UK Ltd Invoice 60020918 117”.

This email is send froom the spoofed address “donotreply@berendsen.co.uk” and has the following body:

Dear Sir/Madam,

Please find attached your invoice dated 1st January.
All queries should be directed to your branch that provides the service. This detail can be found on your invoice.

Thank you.

___________________________________________________________
This e-mail and any attachments it may contain is confidential and
intended for the use of the named addressee(s) only. If you are not
the intended recipient, you have received it in error, please
immediately contact the sender and delete the material from your
computer system. You must not copy, print, use or disclose its
contents to any person. All e-mails are monitored for traffic data and
the content for security purposes.

Berendsen UK Ltd, part of the Berendsen plc Group.
Registered Office: 4 Grosvenor Place, London, SW1X 7DL.
Registered in England No. 228604

The attached file IRN001526_60020918_I_01_01.DOC is a Word file with embedded macro that wll download the file bin.exe from the following location: hxxp://elektromarket.cba.pl/js/bin.exe

The trojan is known as Downloader-FAOO!434F0A990013 or Dridex.K.

At the time of writing, 2 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: f0b5ff9d89abfff25e71cc6b917d3c91d72a118d2b31174564b6e026da6b9846

Fake email “Invoice” from HEXIS (UK) LIMITED contains malicious Word file


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Invoice”.

This email is send from the spoofed address “Invoice from Hexis <Invoice@hexis.co.uk>” and has the following body:

Sent 15 JAN 15 08:30

HEXIS (UK) LIMITED
7 Europa Way
Britannia Park
Lichfield
Staffordshire
WS14 9TZ

Telephone 01543 411221
Fax 01543 411246

The attached file S-INV-CREATIFX-465219.doc is a Word file with embedded macro that wll download the file 115 kB large executable bin.exe from the following locations:

hxxp://dramakazuki.kesagiri.net/js/bin.exe
hxxp://cassiope.cz/js/bin.exe

The trojan is known as UDS:DangerousObject.Multi.Generic, Trojan.FakeMS.ED or PE:Malware.XPACK-LNR/Heur!1.5594.

At the time of writing, 4 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 87f639a395dc72d9fa2aa517ec2776ee3c9e9c2fa71ba50d832e0ff012373b22

Malware: Payment request of 2537.78 (14 JAN 2015)


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Payment request of 2537.78 (14 JAN 2015)”.

This email is send from the spoofed addresses  and has the following body:

Dear Sirs,

Sub: Remitance of GBP 2537.78

This is with reference to the above, we request you to kindly remit GBP 2537.78 in favor of our bank account.
For more information on our bank details please refer to the attached document.

Thanking you,
Phil Gilmore
Accounting Team

The attached file 11492UR.doc, name may vary, contains a macro that will download additional files from the following locations:

hxxp://95.163.121.71:8080/mopsi/popsi.php
hxxp://95.163.121.72:8080/mopsi/popsi.php
hxxp://136.243.237.204:8080/mopsi/popsi.php

The file downloaded is 114 kB large and is named g08.exe.

At the time of writing, 6 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: f4c36c6e702324f0edb9fd62d2d50bb08c6507ff53847f2816870414dff53eaf

Upatre trojan attached to emails “Important Documents”


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Important Documents”.

This email is send from the spoofed address “Charlie Egan <Charlie.Egan@wellsfargo.com>” and has the following body:

Please check out your latest account documents.

Charlie Egan
Level III Security Officer
817-102-6118 office
817-607-0621 cell Charlie.Egan@wellsfargo.com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed. If you are not the intended recipient of this message, please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message and any attached documentation. Thank you.

The attached file Important_Documents.zip contains the 37 kB large file Important_Documents.exe.

The trojan is known as Virus.Win32.Heur.c, UDS:DangerousObject.Multi.Generic, BehavesLike.Win32.Yahlover.nt or Upatre.FN.

At the time of writing, 8 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: c64809bdb7d4a4f6d947aa22ee3f62cc8a88a2d0d0afcfa67771cdceacc4fdf8

Fake email from Hazel Renewable Energy “NOVEMBER INVOICE” contains malicious Excel


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subjects:

NOVEMBER INVOICE
NOVEMBER INVOICE ADVICE
INVOICE ADVICE 08/01/2015

This email is send from the spoofed address “Laverne King <Rosalyn.64@transtelco.net>” and has the following body:

Good morning

Happy New Year

Please could you advise on the  November GBP invoice in the attachment for me?

Many thanks

Kind Regards
Laverne King
Senior Accountant
HAZEL RENEWABLE ENERGY VCT 1 PLC

The attached file in the format RBAC_XXXXXX.xls (with different characters) and is an Excel sheet with macro that will download additional components from various locations.

The Excel sheet is currently detected by 1 of the 56 AV engines did detect the trojan at Virus Total and marked as Trojan.Script.Agent.dlanqt.

Use the Virus Total for more detailed information.
SHA256: b1c10f76fc15c3ca6ca89df5335d716241e57951098f7324bbe8c627430a0af6

Follow

Get every new post delivered to your Inbox.

Join 823 other followers