“DHL shipment failed to arrive” delivery failure notification by email contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “DHL shipment failed to arrive” or “DHL Private delivery services”.

This email is send from the spoofed address “DHL Service <service@dhl-globalmail.com>” and has the following body:

Dear ****@****.co.uk
Your parcel arrived at the post office on April 22. Our courier was unable to deliver the parcel to your adress.
To receive the parcel you should go to the nearest DHL office and take your mailing label with you.

The mailing label is attached. Please print it and show at the nearest DHL office to receive the parcel.

Thank you for using DHL Service!

Princes Court, 11
Wapping Ln, London,
E1W 2DA,United Kingdom
Toll Free: +44 20 7553 2200
Hours:Open today · 9:00 am – 7:00 pm

Screenshot:

The attached ZIP file has the name DHL_label_56047.zip and contains the 142 kB large file Label_87698_id_2518023.pdf.exe.

The trojan is known as Trojan.Agent.ED, HEUR/Malware.QVM20.Gen, PE:Malware.XPACK-HIE/Heur!1.9C48, Troj/Zbot-IDQ or TROJ_GEN.F47V0423.

At the time of writing, 6 the 51 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: c2e20aae93b43ea9d1d66b3c6ab518dfb5dc8045ca10e099ba4f145a0066dc01.

Paintball booking confirmation email will infect your computer with trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Paintball Booking Confirmation”.

This email is send from the spoofed address “”ipguk52@paintballbookingoffice.com” <ipguk@paintballbookingoffice.com>” and has the following body:

Dear client,

Many thanks for your booking on Saturday 19/04/2014 at our Reading Paintball centre Mapledurham, Reading. Arrival time is 09:15AM prompt.

Please view the attached booking confirmation, map and important game day documents prior to attending.

Kind regards,
Leigh Anderson
Event Co-ordinator
0844 477 5208

cid: 42440947

The attached ZIP file has the name Booking Confirmation 2826-66935.zip, once extracted a folder Booking Confirmation 0414-28921 is created which contains the 14 kB large file Booking Confirmation 0414-28921.exe.

The trojan is known as Win32:Dropper-gen [Drp], W32/Trojan.ZLGD-2681, Trojan:W32/Zbot.BBLB or HEUR/Malware.QVM07.Gen.

At the time of writing, 4 of the 51 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: 4c69e3b6d2f7dbaf78eacfd60f2de685da9d942fdf9c1ff7ae4b88be17075fbe

Fake email “Avis de Paiement” from HSBC contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Avis de Paiement”.

This email is send from the spoofed address “HSBC France <Avis.de.Paiement@hsbc.fr>” and has the following body in French:

Bonjour Monsieur / Madame ,
A votre demande, veuillez trouver ci joint le paiement e-conseils pour votre reference.

Cordialement

HSBC France

IMPORTANT : N’UTILISEZ PAS LA FONCTION “repondre a” ,
LAQUELLE NE NOUS PERMET PAS DE TRAITER VOTRE DEMANDE.

Vous pouvez telecharger gratuitement la derniere version du logiciel Acrobat Reader a partir du site d’Adobe a l’adresse suivante : http://www.adobe.fr/products/acrobat/readstep2.html

Ce message et toutes les pieces jointes (ci-apres le « Message) sont confidentiels et etablis a l’intention exclusive de ses destinataires. Toute modification, edition, utilisation ou diffusion non autorisee est interdite. Si vous avez recu ce Message par erreur, merci de nous en avertir immediatement. HSBC et ses filiales declinent toute responsabilite au titre de ce Message s’il a ete altere, deforme, falsifie ou encore edite ou diffuse sans autorisation.

The attached ZIP file has the name AvisDePaiement.zip and contains the 20 kB large file AvisDePaiement.scr.

The trojan is known as W32/Trojan.TRRQ-5643, Trojan-Downloader.Win32.Upatre (A), W32/Agent.A4FD!tr, Artemis!87DB04ED7233 or HEUR/Malware.QVM20.Gen.

At the time of writing, 9 of the 51 engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: b385d344b03cab88892d1e76319e265c0c0ced93632ed0b355776acc73e834d3

Fake email from booking.com in Dutch with attached invoice confirmation contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “factuur bevestiging” from the spoofed email address “”booking.com” <booking.payment@booking.com>” and the following body:

Tav: Geachte klant

Wij schrijven deze brief aan uw aandacht vestigen op de onderstaande referentie achterstallige items met ons

Rappel aan de Klant
Due Date: 2014/12/01
FACTUUR-9837461039847
Verschuldigde bedrag: Ђ287,00

Vind hechten uw factuur voor de eerste betaling.

We waarderen uw inspanningen om ervoor te zorgen dat de betaling is ontvangen in een geschikte kwestie. Houdt u er rekening mee dat er een Ђ100 heraansluiting kosten in rekening worden gebracht als uw account is opgeschort vanwege betalingsachterstanden.

Thorpe K. Carlson
Billing Manager

Copyright © 19962014 Booking.com. Alle rechten voorbehouden.
Deze e-mail werd verzonden door Booking.com, Herengracht 597, 1017 CE Amsterdam, Nederland

The email contains two attached files: e-Ticket confirmation.pif and Invoice76453773.doc.

The first attached file e-Ticket confirmation.pif contains the trojan that is know as: Heur.Win32.Veebee.1!O , Trojan.Dorkbot.ED or Trojan-FEAX!1B85EC2BD216. At the time of writing, 5 of the 51 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: 8c6f520c42acab9df6ad3ca59e12c99f4f259650faaa12a3e5139b3845560bce.

The other attached file has the name Invoice76453773.doc. When openend, it will use Macro’s. When processed by Virus Total, 2 of the 51 AV engines did detect the malware named TrojanDownloader:O97M/Bogavert.A or Troj/DocDl-C.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: 5be3ef36567271299d658529b889bdb8c83f07b6bc6ff4bd2a92ccfbce15c781

 

 

Email “ACH failed due to system failure” contains attached trojan in .scr format


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “ACH failed due to system failure”.

This email is send from the spoofed address “The ACH Network <Elvis.Guy@host45.190-31-85.telecom.net.ar>” and has the following body:

ACH PAYMENT CANCELLED

The ACH Transfer (ID: 87052955198926), recently submitted from your savings account (by you or any other person), was CANCELLED by other financial institution.

Rejection Reason: See details in the acttached report.
Transfer Report: report_87052955198926.pdf (Adobe Reader PDF)

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
2014 NACHA – The Electronic Payments Association

The attached ZIP file has the name report_87052955198926.zip and contains the 19 kB large file report_28740088654298.scr.

The trojan is known as W32/Trojan.MNWL-4927 or TROJ_GEN.F0D1H00CV14.

At the time of writing, 3 of the 48 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: 1ab76103d28fda1ed11d2019e7c47df3d57401aee43e7df785b057853f9c1f52

TR/Crypt.ZPACK.Gen trojan in fake New Fax Message email from RingCentral


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “New Fax Message on 02/12/2013″ (while we are already the 17th!).

This email is send from the spoofed address “Floyd Mack <info@ast-consulting.ru>” and has the following body:

From: (616) 302-2551
Received: Wednesday, February 12, 2014 at 11:33 AM
Pages: 8
To view this message, please open the attachment

Thank you for using RingCentral.

A screenshot of the email:

The attached ZIP file has the name fax.zip and contains the 18 kB large file fax.pdf.exe.

The trojan is known as TR/Crypt.ZPACK.Gen, HEUR/Malware.QVM07.Gen or Win32:Malware-gen and can start servers to listen, changes the local firewall policies, will run at startup and make HTTP requests.

At the time of writing, 4 of the 50 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: fa6b3964d478a6af32b63d06395e74d87e1accfa8521db0a372c7c2e047bc684

Phishing email regarding SEPA payments targetting Dutch internet bank users


MX Lab, http://www.mxlab.eu, started to intercept a phishing campaign coming from the spoofed email address “IBAN/Rabobank <overopiban@iban.nl>” with the subject “SEPA: bent u al over ? Wacht niet langer en kom in actie ! ” targeting Dutch internet bank users.

Screenshot of the email:

The email claims that all European payments that are being processed in the SEPA region needs to have an valid IBAN since August, 1st of 2014. In order to be part of the transition, you’ll need to order an IBAN payment card.

The embedded URL leads to hxxp://183.181.34.87/~goodbest/ which is obviously fake but please be warned that Firefox (on MacOS X) is not reporting a possible security risk when accessing this web site.

The first screen welcomes the visitor and you’ll have to click the button to continue.

The second screen requires the completion of your personal details such as name, birthday,account number and expiration date.

The last screen confirms the submission of the details and that the new payment card will be send within 3 to 5 days.

MX Lab recommend, as usual, not to comply to any instructions that are given by email in order to submit some personal details regarding your banking activities.

Follow

Get every new post delivered to your Inbox.

Join 291 other followers