Fake email from Stanford Health Care contains trojan Upatre.GK


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects like:

check out
Health Care
Impotant
Special offer
Stanford Medecine

This email is send from different spoofed address and has the following body:

see attachment.

Jessica Epstein
Office Assistant IV
Stanford Health Care
1190 Welch Road, MC 5794 • Palo Alto, CA 94304
O: 650.736.1944 C: 650.847.0495
jepstein@stanfordhealthcare.org

The attached file is named:

Standford_service_data.zip
Standford_department_data.zip
Standford_special_information.zip
Customer_department_offer.zip

The Zip file contains the 21 kB large executable with the same name as the ZIP file.

The trojan is known as Upatre.GK  or Trojan.Win32.YY.Gen.7.

At the time of writing, 2 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 5da21bd031ae19d0ebd95d9b18fb1d565ed2537c551bc85195e77b747f082520

Trojan Upatre.GK present in emails “BACS Transfer : Remittance” and “Bankline ROI – Password Re-activation Form”


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects “BACS Transfer : Remittance for JSAG823GBP” and “Bankline ROI – Password Re-activation Form”.

BACS Transfer : Remittance for JSAG823GBP

This email is send from the spoofed address “Nikki Ward <timothyjacker@natwest.com>” and has the following body:

We have arranged a BACS transfer to your bank for the following amount : 4045.00
Please find details attached.

The attached file BACS_Transfer_AQ004719.zip contains the 32 kB large file BACS_Transfer_AQ004719.scr.

Bankline ROI – Password Re-activation Form

This email is send from the spoofed address “Susanne Babb <Susanne.Babb@rbs.co.uk>” and has the following body:

Please find the Re-activation form attached, send one per user ensuring only one box is selected in section 3.  A signatory on the bank mandate must sign the form.

Fax to 1850 835753 or alternatively you may wish to email the completed document, by attaching it to an email and sending it to banklineadministration@rbs.co.uk

On receipt of the completed form we will respond to the request within 2 working hours and communicate this to the user by email.

<<Bankline_Password_reset_6265613.pdf>>
Please note – The life-span of an activation code is 21 days; after this time, the activation code will expire and a new one must be ordered.
Please be aware when choosing a new pin and password for the service, it is important not to use pin/passwords that you have used before but to use completely different details.

If you are the sole Standard Administrator may I take this opportunity to suggest when you are reinstated on the system, to set up another User in a Standard Administrator role. This will prevent you being locked out completely and allow you to order a new activation code from within the system and reset your security sooner.

If you require any further assistance then please do not hesitate to contact us on 1850 750361 and one of our associates will be happy to assist you.

Regards
Bankline Product Support

This e-mail message is confidential and for use by the intended recipient only. If the message is received by anyone other than the intended recipient, please return the message to the sender by replying to it and then delete the message from your computer. Internet e-mails are not necessarily secure. Ulster Bank Limited and Ulster Bank Ireland Limited (\”Bankline Bank Group\”)/ Royal Bank of Scotland Group plc does not accept responsibility for changes made to this message after it was sent. Ulster Bank Group / Royal Bank of Scotland Group plc may monitor e-mails for business and operational purposes. By replying to this message you give your consent to our monitoring of your email communications with us. Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by any member of Ulster Bank Group / Royal Bank of Scotland Group plc in this regard and the recipient should carry out such virus and other checks as it considers appropriate.

The attached file Bankline_Password_reset_6265613.zip contains the 32 kB large file Bankline_Password_reset_077812.scr.

 

The trojan is known as Upatre.GK, HEUR/QVM20.1.Malware.Gen and Trojan.Win32.YY.Gen.7.

At the time of writing, 3 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256:  036daf4501d0f9c76ebf75c709fcd647eab5436bc3028ceb8ffd431110e2616a

Fake email “Thank you for scheduling your online payment” from Chase contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Thank you for scheduling your online payment”.

This email is send from the spoofed address “user <no-reply@alertsp.chase.com>” and has the following body:

Dear

Thank you for scheduling your recent credit card payment as an attachment. Your payment in the amount of 3898.96 will be credited to your credit card account (CREDIT CARD) ending in 6603 on 04/07/2015.

Now that you’re making your payment online, are you aware of all the convenient ways you can manage your account online?

See statements – Choose to stop receiving paper statements, and see up to six years of your statements online.
See automatic payments – Set up monthly payments to be made automatically.
Transfer a balance – Transfer a balance to your credit card account.
Go to Personalized Alerts – Schedule Alerts to remind you of key account activity.
You can also see past payments you’ve made online by logging on to http://www.chase.com/creditcards and clicking “See/cancel payments” under “I’d like to …”

If you have questions, please call the Customer Service number on the back of your credit card.

Thanks again for using online payments.

Sincerely,
Cardmember Services

Screenshot of the message:

The attached file payment-6603-oMjo.zip contains the 42 kB large file payment.exe.

The trojan is known as Upatre-FAAR!AF3E7DE0EB61, Trojan.Win32.YY.Gen.3, Troj/DwnLdr-MJQ or Win32.Malware!Drop.

At the time of writing, 13 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: dda530220c7196a25fe5119dae77006879ce67974fe520512ecf103841ed0bed

Fake email New Stanford Hospital contains password protected Rar with trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Stanford”.

This fake email is send from the spoofed address “Kcurran <kcurran@stanfordhealthcare.org>” and has the following body:

Please find the attached.

The password for the archive: kasandra

If you can not read the file, set WinRar http://www.rarlab.com/download.htm

Kevin T Curran
Director, Construction
New Stanford Hospital
Stanford Health Care
O: 650-723-2219   C: 650-847-8382
kcurran@stanfordhealthcare.org

http://www.sumcrenewal.org/

The attached password protected file WgxEoWsa.rar contains the 52 kB large file document.exe.

The trojan is known as Win32:Evo-gen [Susp], Packed.Win32.Katusha.3!O, BehavesLike.Win32.Downloader.qh  or Trojan.Win32.Qudamah.Gen.26.

At the time of writing, 4 of the 56 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 8e17d44a23c27f37be5eec94addd979560c0c0aec613750248c2306acacf527e

Malicious Word file in fake emails Digital Invoice/E-Invoice


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email. Each email as a Word file attached with a malicious macro that will download the real trojan and other malware.

When investigating our logs, each message seems to be different based on email senders address, the subject, the file name of the attached Word file and even the Word files are different each time to avoid detection by AV engines.

Here are some examples.

E-invoice [VB34258991] from CHARLES TAYLOR PLC

Email from the spoofed email address “Dawn Roberson <Larry.df@242-56-87-183.mysipl.com>” with subject “E-invoice [VB34258991] from CHARLES TAYLOR PLC” and body:

Attached file is in DOC format. Please verify and confirm data in document.

Best regards Dawn Roberson ,
CHARLES TAYLOR PLC

Attached file: VB34258991.doc
More info at Virus Total with SHA256: 0955c1e6e9444fac0a8808bf2b1f874b84facaed19648e228ccc3a8bf97b19c6

Digital Invoice [UH07965529] from SAGE GROUP

Email from the spoofed email address “” with subject “Digital Invoice [UH07965529] from SAGE GROUP” and body:

Attached file is in DOC format. Please verify and confirm data in document.

Kind regards Vincent Perkins ,
SAGE GROUP

Attached file: UH07965529.doc
More info at Virus Total with SHA256: dcf3bfade0dafef9b89801c7c7704586652fb86bbea38e17e685d6f3efb8d221

e-Invoice [EH60305285] from FRONTERA RESOURCES CORP

Email from the spoofed email address “Alec Vincent <Cameron.7f59@static.cablecom.ch>” with subject “e-Invoice [EH60305285] from FRONTERA RESOURCES CORP” and body:

Attached file is in DOC format. Please verify and confirm data in document.

Best regards Alec Vincent ,
FRONTERA RESOURCES CORP

Attached file: EH60305285.doc
More info at Virus Total with SHA256: 796e945dc7f1ebd4e3d0e8f012be6efe9a24b8391107d122ce25605d165ed432

Electronic Invoice [DZ23315488] from SBERBANK OF RUSSIA

Email from the spoofed email address “Leta Bird <Rachel.e786@theheru.org>” with subject “Electronic Invoice [DZ23315488] from SBERBANK OF RUSSIA” and body:

Attached file is in DOC format. Please verify and confirm data in document.

Best regards Leta Bird ,
SBERBANK OF RUSSIA

Attached file: DZ23315488.doc
More info at Virus Total with SHA256: 5482557cb1b02b145416ffc5124e57f04746dae2abbaaedb6b72b35e344f23e1

Currently, most of the malicious Word files, all have the size 36kB,  are not recognized as a threat at Virus Total and it is impossible to list all the variants that are being distributed right now.

MX Lab recommends not to open the attached Word files or at least disable the macro feature in MS Word.

UPDATE 07/04/2015  13:15:

One of the samples is detected by the AV engine ESET-NOD32 and has been labelled VBA/TrojanDropper.Agent.AO.

e-Invoice [MV48143585] from New Moon (film production)

Email from the spoofed email address “Ginger Cruz <Charlotte.911a@netvale.psi.br>” with subject “e-Invoice [MV48143585] from New Moon (film production)” and body:

Attached file is in DOC format. Please verify and confirm data in document.

Yours sincerely Ginger Cruz ,
New Moon (film production)

Attached file: MV48143585.doc
More info at Virus Total with SHA256: 018c1379918f9794e825df543d79103f5b1e9bed4b805e8644d29b676f41a3eb

 

Emails “Invoice ID:248c90 in attachment.” contains Word file with malicious macro


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Invoice ID:248c90 in attachment.” (numbers will vary in each subject line and also in the attached file name). This email is send from the spoofed addresses and has no body content.

The attached file 248c90.doc is in fact an Word file with embedded macro that will download the real trojan from different hosts.

At the time of writing, 0 of the 56 AV engines did detect the malware at Virus Total.
SHA256: 0f1b5377c8dd493bfb9c9fcd980e3ef88c0c68c03abfabf813307295f38485c0

MX Lab recommends not to open the attached Word file or at least make sure that macro’s are disabled.

Fake email notification Faxtastic “Fax from +4921154767199 Pages: 1″ contains malicious Excel sheet


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Fax from +4921154767199 Pages: 1″.

This email is send from the spoofed address “faxtastic! <fax@faxtastic.co.uk>” and has the following body:

You have received a new fax. To view it, please open the attachment.

Did you know we now send? Visit http://www.faxtastic.co.uk for more details.

Regards,

faxtastic Support Team

The attached 62 kB large file 2015031714240625332.xls is in fact an Excel sheet with embedded macro that will download the real trojan from different hosts.

The malicious Excel is known as LooksLike.Macro.Malware.a (v) at Virus Total.
SHA256: 0ecabe0a7fceb2dfdce96295d0ecceca0d8e0546c976a913f0e10c819af70fc0

More information at Hybrid Analysis as well.

MX Lab recommends not to open the atteched Excel file or at least make sure that macro’s are disabled.

Follow

Get every new post delivered to your Inbox.

Join 1,492 other followers