Email with RA_New.zip attached contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “RA 216001″ – numbers in the subject will change with every email.

This email is send from the spoofed address “NicolaR@jhs.co.uk” and just has a standard disclaimer in the body of the email:

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.

The attached file RA_New.zip contains the 29 kB large file RA_New.exe.

The trojan is known as Win32.Trojan.Inject.Auto.

This trojan can download and install other files downloaded from the internet. It will create a process tempinst.exe on the system make connections with the following hosts op port 80:

checkip.dyndns.org
xr36rx.com
rmccontracting.com

It will request the files:

  • index.html
  • adv/honf.pdf
  • mandoc/honf.pdf

At the time of writing, 1 of the 56 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 29a6cca9ecf3007adfcc6a8e18d846630afd0b7a6636660bd26800f0a499ee3e

Fake email from RingCentral regarding voice message contains attached trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “New Voice Message from No Caller ID on 25/02/2015 at 16:25″.

This email is send from the spoofed address “”notify-uk@ringcentral.com” <notify-uk@ringcentral.com>” and has the following body:

You Have a New Voice Message

From: No Caller ID
Received: 18 December 2014 at 16:25
Length: 00:03
To: 020 3750 0638 * 302 (TAG The Automotive Group Ltd)

To listen to this message, open the attachment or use RingCentral Mobile App (download) to have instant access to all your messages on the go.

Thank you for using RingCentral.

A screenshot of the message:

The attached file NoCallerID-1218-162550-153.wav.zip contains the 70 kB large file NoCallerID-1218-162550-153h.wav.exe.

The trojan is known as UDS:DangerousObject.Multi.Generic.

At the time of writing, 1 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 843c890b197dc780ea7b3c85688b6b11f8594083d2de055dce21fd1427ec0379

Update 26/02/2015 – 11:15 (Belgian time):

Further analysis shows that his trojan will download other malware from the following locations:

hxxp://decapitated.cba.pl/java/bin.exe
hxxp://elsi.homepage.t-online.de/java/bin.exe

The trojan is known as UDS:DangerousObject.Multi.Generic, Sinowal.PDB or PE:Malware.XPACK-LNR/Heur!1.5594.

It will show a popup window on the desktop

The processes edg2.exe and edg4.exe will be created, Windows registry modifications are executed and the trojan can establsih a connection with the following IP addresses on port 80:

92.63.87.13
5.196.241.196
66.110.179.66
202.44.54.5

At the time of writing, 3 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: c56a46575f00e527844ea393c50aa58500dda94088c34489559b610200ba756b

 

Email “Internet Fax Job” with attached ZIP archive contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Internet Fax Job”.

This email is send from the spoofed address “Jos Van Elslande <JVE@notvanelslande.be>” and has the following very short body:

Image data has been attached.

The attached file fax34242.zip contains the 29 kB large file fax34242.exe.

The trojan is known as Trojan.Email.FakeDoc or Win32.Trojan.Inject.Auto.

A new process teminstall.exe will be created in the system and the following connectiosn on port 80 are established:

checkip.dyndns.org
recfilm.linuxpl.info
thamesvalleychess.org

The following files are accessed:

  • index.html
  • factc.pdf
  • documents/factc.pdf

At the time of writing, 2 of the 43 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 0a42de4b9ec4e9101a602560d3a04d6eabb0e40e571e87455e0958a5ad03ea0e

Malicious XLS attached to email “Your LogMeIn Pro payment has been processed!”


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Your LogMeIn Pro payment has been processed!”.

This email is send from the spoofed address “”LogMeIn.com” <no_reply@logmein.com>” and has the following body:

Dear client,

Thank you for purchasing our yearly plan for LogMeIn Pro on 25 computers.
Your credit card has been successfully charged.

Date : 25/2/2015
Amount : $999 ( you saved $749.75)

The transaction details can be found in the attached receipt.
Your computers will be automatically upgraded the next time you sign in.

Thank you for choosing LogMeIn!

The attached file logmein_pro_receipt.xls is an Excel sheet with macro that will download the file 92 kB large file bin.exe from the location hxxp://junidesign.de/js/bin.exe.

The trojan is known as Dridex.K, PE:Malware.XPACK-LNR/Heur!1.5594 or HEUR/QVM20.1.Malware.Gen.

At the time of writing, 3 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 18bd732ba09803deafc175a689e14341b90debc723c57b9908853c261e4e8104

Fake email regarding delivery attempt by FedEx contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects similar to:

Reese Torres agent Fedex
Dylan Livingstone agent Fedex

This email is send from the spoofed address “Fedex <fedexservice@juno.com>” and has the following body:

Dear Customer,
We tried to deliver your item on February 22th, 2014, 08:15 AM.
The delivery attempt failed because the address was business closed or nobody could sign for it.
To pick up the package,please, print the receipt that is attached to this email and visit Fedex location indicated in the invoice.
If the package is not picked up within 48 hours, it will be returned to the shipper.
Label/Receipt Number: 44364578782324455
Expected Delivery Date: February 22th, 2014
Class: International Package Service
Service(s): Delivery Confirmation
Status: Notification sent

Thank you

Copyright© 2015 FEDEX. All Rights Reserved.
*** This is an automatically generated email, please do not reply ***

The attached file Package.zip contains the 78 kB large file 443645787823424455.scr.

The trojan is known as HEUR:Trojan.Win32.Generic or Win32.Trojan.Inject.Auto.

At the time of writing, 5 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 09162dab1d254ad9fc583f165f554d57cd0205e129099ff102291ac4090cb23b

Fake email from Essex Central Magazine contains Upatre trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Invoice”.

This email is send from the spoofed address “Essex Central Magazine <darren@notifications.kashflow.com>” and has the following body:

Please see attached invoice for the upcoming issue of Essex Central Magazine.

Regards,

Accounts Dept.

The attached file invoice.zip contains the 29 kB large file invoice_pdf.exe.

The trojan is known as Trojan.Upatre.Gen.1, Win32/TrojanDownloader.Waski.F, Trojan-Downloader.Win32.Upatre (A), Downloader.Upatre,

At the time of writing, 23 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 8762db3bdb7a7a1d69dd2e4e152340baeb0ec4d654698b52a38ab9d736242b79

Fake email “Order: PO/M15-0023″ from Veneta Services Ltd. contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Order: PO/M15-0023″.

This email is send from the spoofed address “”Veneta Services Ltd.” <info@direzionemondo.it>” and has the following body:

Dear Sir/Madam,

We have requirements for the attached items, kindly quote.

We are looking for your earliest quotation. Please send your offer soon.

Regards

M. Paschal Picolo
(Sales Manager)

Management World
Veneta Services Ltd.

Via Mestrina, 64
30172 Mestre -VE-

Hours Monday through Friday:
9:00 to 12:30
15:00 to 19:00
Saturday:
9:30 to 12:00

Tel: 041-986588
Fax: 041-986510

Mail:
info@direzionemondo.it
http://www.direzionemondo.it

The attached file Order#PO-M15-0023881221-pdf.zip contains the 205 kB large file Order#PO-M15-0023881221-pdf.exe.

The trojan is known as Suspicious.Cloud.5.

At the time of writing, 1 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: bab6e418b89b174e4bcbaf9b477d635b13cb52b75706ae61165ba75d384d32e4

Follow

Get every new post delivered to your Inbox.

Join 1,086 other followers