Email “Employee Documents – Internal Use” from no-replay@my-fax.com leads to malicious Zip file


MX Lab, http://www.mxlab.eu, started to intercept quite a large distribution campaign by email with the subject “Employee Documents – Internal Use”, this email is send from the spoofed address “Fax <no-replay@my-fax.com>” and has the following body:

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Fax Documents

DOCUMENT LINK: hxxp://challengingdomesticabuse.co.uk/myfax/company.html

Documents are encrypted in transit and store in a secure repository

———————————————————————————
This message may contain information that is privileged and confidential. If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.

The downloaded file fax8127480_924_pdf.zip contains the 26 kB large file fax8127480_924.exe.

The trojan is known as W32/Trojan.HZAT-8029, W32/Trojan3.MYF, Downloader-FSH!FFA9EE754457, Upatre.FH or a variant of Win32/Kryptik.CTMJ.

At the time of writing, 5 of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: 99b5c743e203cf0fd5be7699124668be35012aaa51233742f2cd979ab43a5dcb

BACS payment Ref:057757DW emails contain malicious Excel sheet with macro


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “BACS payment Ref:057757DW”.

This email is send from the spoofed addresses and has the following body:

Please see below our payment confirmation for funds into your account on Tuesday re invoice 057757DW

Accounts Assistant
Tel:  01874 847 345
Fax: 01874 318 390

The attached file 057757DW.xls is an malcious Excel sheet with a macro that will download a trojan from a remote location.

At the time of writing, the malicious Excel is not detected as a potential threat by any of the 54 AV engines at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: cbdc93de4eded4d2df825a30f0e255136c3564738e3298f367a4557b5b360eba

MX Lab recommends not to open this Excel sheet or keep at least the execution of a macro disabled in the security settings to avoid macros running when opening an Excel (or Word) file.

Update 19/12/2014 – 18:45:

The macro can download the 90 kB large file test.exe from the following remote locations:

hxxp://78.129.153.23/sstat/lldvs.php
hxxp://5.9.253.183/sstat/lldvs.php
hxxp://185.48.56.123/sstat/lldvs.php

Use the Virus Total permalink for more detailed information.
SHA256: 0a1d7d4d463d74e93bde62fb659ebfbd83a16ca5d979f7adee0fc998037d4f10

Email Internet Fax Job contains URL that downloads trojan Upatre.FH


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Internet Fax Job”, the email is send from the spoofed address “MyFax <no-replay@my-fax.com>” and has the following body:

Fax image data
hxxp://bursalianneler.com/documents/fax.html

The downloaded file fax8642174_pdf contains the 21 kB large file fax8642174_pdf.exe.

The trojan is known as Upatre.FH.

The trojan will installs itself by creating the service ioiju.exe and makes sure that it boots when Windows starts, modifies several Windows registries. Connections can be established with:

202.153.35.133
192.185.52.226
78.46.73.197
74.125.28.139
77.72.174.167
77.72.174.166
217.23.8.68
184.25.56.59
217.172.180.178

At the time of writing, 1 of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink or Malwr permalink for more detailed information.
SHA256: 745a25bcff06daf957730207c8b34704288fc5232fac81a228a5f2b4f577f048

Fake email “Card Receipt” from AquAid regarding payment contains malicious Word file


MX Lab, http://www.mxlab.eu, started to intercept a new distribution campaign by email with the subject “Card Receipt”. This fake email comes from AquAid, a drinks supplier, and contains a so called receipt for a payment that was made.

This email is send from the spoofed address “Tracey Smith <tracey.smith@aquaid.co.uk>” and has the following body:

Hi

Please find attached receipt of payment made to us today

Regards
Tracey

Tracey Smith| Branch Administrator
AquAid | Birmingham & Midlands Central
Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP
Telephone: 0121 525 4533
Fax: 0121 525 3502
Mobile: 07795328895
Email: tracey.smith@aquaid.co.uk

The attached file CAR014 151239.doc is 133 kB large file which is a Word file with macro that will download the trojan from the remote location hxxp://sardiniarealestate.info/js/bin.exe

The malicious Word file is known as Trojan.Script.Agent.djfdmm or heur.macro.download.c.

At the time of writing, 2 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink or Malwr permalink for more detailed information.
SHA256: 048714ed23c86a32f085cc0a4759875219bdcb0eb61dabb2ba03de09311a1827

The 80 kB large binary bin.exe is detected by 2 of the 54 AV engines at Virus Total. The trojan is knwon as Suspect-AN!01078F660F97, Malware.QVM20.Gen or Drixed.D. This trojan will try to connect to 81.169.156.5 and/or 74.208.11.204 on port 8080.

Use the Virus Total permalink or Malwr permalink for more detailed information.
SHA256: b73b4a11f725137a4e1aa19236a5b61671d0880edc8ba1c4d7dd22031e55a922

Fake email “You have received a new secure message” from JP Morgan Chase contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “You have received a new secure message”.

This email is send from the spoofed address “Dylan A Scheffel <Dylan.A.Scheffel@jpmorgan.com>” and has the following body:

This is a secure, encrypted message.

Desktop Users:
Open the attachment (message_zdm.html) and follow the instructions.

Mobile Users:
Voltage secure mail is not currently supported on mobile devices. If you experience issues, please access your secure message from a fully functional browser.
Need Help?
Personal Security Image
Your personalized image for: be357ec@betransport.com
This personal security image will appear on secure email to you.
Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.
Email Security Powered by Voltage IBE
Copyright 2013 JPMorgan Chase & Co. All rights reserved

The attached file message_zdm.zip contains the 36 kB large file message_zdm.exe.

The trojan is known as Trojan.DownLoader11.53284, Upatre.FN, Troj/Agent-AKUU or HB_Arkam.

At the time of writing, 11 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink or Malwr permalink for more detailed information.
SHA256: 25808f5afa8c93d477a954e4a0444b63fbaccac72a56dcd87d252df2606c0e19

New fake email PL REMITTANCE DETAILS ref1790232EG with malcious XLS in the wild


MX Lab, http://www.mxlab.eu, started to intercept a new distribution campaign by email with the subject “PL REMITTANCE DETAILS ref1790232EG (number at the end may vary with each email)”

This email is send from the spoofed addresses and has the following body:

The attached remittance details the payment of £344.29 made on 16-DEC-2014 by BACSE.

This email was generated using PL Payment Remittance of Integra Finance System.

Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.

The attached file 1790232EG.xls is a malicious Excel sheet with macro that will download a file from another location with the payload.

Screenshot of the XLS:

The malicious XLS  is detected  by 1 of the 55 AV engines at Virus Total and is labelled heur.macro.download.c.

Use the Virus Total permalink or Malwr permalink for more detailed information.
SHA256: e6017c6355af0aed24b70b62c8684842f715600e75df4b279c8653f428b6cae3

Malicious Word file in email UK GEOLOGY PROJECT


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Invoice as requested”.

This email is send from the spoofed address “UK GEOLOGY PROJECT by Rough & Tumble with Moussa Minerals <roughandtumble63@yahoo.co.uk>”and here is no body text in the email.

The attached file 20140918_122519.doc is a malicious Word file with macro which will download the 73 kB large file bin.exe from the following locations:

hxxp://openstacksg.com/js/bin.exe
hxxp://worldinlens.net/js/bin.exe

The trojan is known as TR/Crypt.ZPACK.Gen4 or Malware.QVM20.Gen.

At the time of writing, 2 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink or Malwr permalink for more detailed information.
SHA256: dcb491afa41042f5ff37ff37c80ac882dbf75865bd2c50a9be12d2d7b9c44225

Follow

Get every new post delivered to your Inbox.

Join 445 other followers