AT/74427678 RECHNUNG email with URL to online invoice will download W32/Emotet.AB!tr trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects like:

AT/74427678 RECHNUNG
AT/74421616 RECHNUNG
FB/35059843 RECHNUNG
DE/81023509 RECHNUNG

This email is send from the spoofed addresses and has the following body:

Guten Tag **********,

bitte beachten Sie, dass Sie sich Ihre Rechnung selbst ausdrucken können.

Ihre gewählte Zahlungsmethode, Kontodaten sowie Zahlungsziel finden Sie auf der Rechnung.

Rechnung.

Sollten Sie Ihre Rechnung per Überweisung zahlen, bitte als Zahlungsgrund Ihre Rechnungsnummer angeben. Nach Eingang der Zahlung bekommen Sie eine Zahlungsbestätigung per Email.

Mehdi Guebla

The URL leads to hxxp://maatarinifilms.com/templates/UkREWsPwZVzm9 where the file de_rechnung.zip is downloaded that contains the 168 kB large file de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.

The trojan is known as W32/Emotet.AB!tr which tries to download other malware from the internet. The trojan will create the process wwcuhldh.exe and modify the Windows registry, it will make connection with the host 109.123.78.10 on port 8080 and w.googlex.me on port 443.

At the time of writing, 1 of the 56 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink or the Malwr permlink for more detailed information.
SHA256: 8934c1983acc33f3ae7a8c76c7c4ad2909f251b8ada3438096789d1a81b6186c

Latest “my photo” email contains new trojan variant


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “my photo”.

This email is send from the spoofed addresses and has the following body:

my new photo :)

The attached file my_iphone_photo.zip contains the folder with the 54 kB large file 1my_photo.exe and the 30 kB larg e file 2my_photo.jpg.

The trojan is known as  a variant of MSIL/Injector.GMB, UDS:DangerousObject.Multi.Generic, Trojan.MSIL.BVXGen or Win32.Trojan.Inject.Auto.

At the time of writing, 4 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permlink for more detailed information.
SHA256: 28993a2effd007e5d6c5453f61268c37c94c8d666156d0ebcae2e4dca004dcff

Malicious Word file in emails INV420354K Duplicate Payment Received


MX Lab, http://www.mxlab.eu, started to intercept a large campaign by email with the subject “INV420354K Duplicate Payment Received” (numbers may vary) that contains a malicious Word file

This email is send from the spoofed addresses and has the following body:

Good afternoon,

I refer to the above invoice for which we received a bacs payment of £669.62 on 10th November 14. Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.

I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer. If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details.

If you have any queries regarding this matter, please do not hesitate to contact me.

I look forward to hearing from you .

Many thanks
Margie Wright
Accounts Department

The attached file is named De_420354K.doc (numbers may vary) and is a malicious Word file that will make use of macros to infect a computer with other malicious files.

This threat is currently not detected by any of the 54 anti virus engines at Virus Total. Info can be found on Virus Total and SHA256 is ea85382435cf26e8066780b7115e4beef78caa0e8766bff324ff19e216496e4b.

Voice Message emails contains security threat


MX Lab, http://www.mxlab.eu, started to intercept a large campaign by email with the subject “Voice Message #0768384921 (numbers may vary)” and is continuation of the previous campaign targeting RBS customers.

This email is send from the spoofed address “Message Admin <martin.smith@essex.org.uk>” and has the following body:

Voice redirected message

hxxp://crcmich.org/bankline/message.php
Sent: Thu, 13 Nov 2014 11:54:24 +0000

The embedded URL in our sample leads to hxxp://crcmich.org/bankline/message.php. This will open up and HTML document with an integrated Javascript script that will make use of ActiveXObject or a regular HTTP request, opens up a download in order to open and/or save the malicious file as instructed.

Fake email regarding new secure message from BankLine that targets RBS customers


MX Lab, http://www.mxlab.eu, started to intercept fake emails regarding a new secure message from BankLine  that targets RBS customers.

The subject line is “You have received a new secure message from BankLine#24802254″ his email is send from the spoofed address “Bankline <secure.message@bankline.com>” and has the following body:

You have received a secure message.

Read your secure message by following the link bellow:

link

—————-
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 1196.

First time users – will need to register after opening the attachment.
About Email Encryption – http://www.rbs.co.uk/corporate/electronic-services/g2/datalink.ashx

The embedded URL in our sample leads to hxxp://vsrwhitefish.com/bankline/message.php. This will open up and HTML document with an integrated Javascript script that will make use of ActiveXObject or a regular HTTP request, opens up a download in order to open and/or save the malicious file as instructed.

Fake “Ihre Telekom Mobilfunk RechnungOnline Monat November 2014″ emails leads to malware


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Ihre Telekom Mobilfunk RechnungOnline Monat November 2014 Nr. 50662087582088″.

This email is send from the spoofed address “Telekom <info@********.com>” and has the following body:

Sehr geehrte Kundin,
sehr geehrter Kunde

Im Anhang finden Sie die gewünschten Dokumente und Daten zu Ihrer Telekom Mobilfunk RechnungOnline für Geschäftskunden vom Monat November,
Download (Ihre Telekom Mobilfunk RechnungOnline für Geschäftskunden 9903599055 vom 07.11.2014 des Kundenkontos 8323990355).

Mit freundlichen Grüßen,
Geschäftskundenservice

Telekom Deutschland GmbH
Aufsichtsrat: Timotheus Höttges Vorsitzender
Geschäftsführung: Niek Jan van Damme Sprecher, Thomas Dannenfeldt, Thomas Freude, Michael Hagspihl, Dr. Bruno Jacobfeuerborn, Dietmar Welslau, Dr. Dirk Wössner
Eintrag: Amtsgericht Bonn, HRB 59 19, Sitz der Gesellschaft Bonn
USt-Id.Nr.: DE 794100576531
WEEE-Reg.-Nr.: 367557846100

In this sample, the embedded URL takes us to hxxp://cnibrewards.ca/UE7MphqL where we download the file 2014_11rechnung_K4768955881.zip that contains the 226 kB large file 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe.

Numbers in the subject and/or file name may vary.

The trojan is known as Gen:Variant.Strictor.68477, HW32.Packed.4F7E, PE:Malware.XPACK-HIE/Heur!1.9C48 or Win32.Trojan.Bp-generic.Ixrn.

At the time of writing, 9 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: 5d728f4cd2051cf270a704e9f04735fbd8e9c208a01a2c2665ddc5a87e572aa1

W97M/Downloader.t threat attached as Word file to fake emails from Amazon regarding dispatched order


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Your Amazon.co.uk order has dispatched (#203-2083868-0173124)”.

This email is send from the spoofed address “”Amazon.co.uk” <auto-shipping@amazon.co.uk>” and has the following body:

Dear Customer,

Greetings from Amazon.co.uk,

We are writing to let you know that the following item has been sent using Royal Mail.

For more information about delivery estimates and any open orders, please visit: http://www.amazon.co.uk/your-account

Your order #203-2083868-0173124 (received November 5, 2014)

Your right to cancel:
At Amazon.co.uk we want you to be delighted every time you shop with us. O=
ccasionally though, we know you may want to return items. Read more about o=
ur Returns Policy at: http://www.amazon.co.uk/returns-policy/

Further, under the United Kingdom’s Distance Selling Regulations, you have =
the right to cancel the contract for the purchase of any of these items wit=
hin a period of 7 working days, beginning with the day after the day on whi=
ch the item is delivered. This applies to all of our products. However, we =
regret that we cannot accept cancellations of contracts for the purchase of=
video, DVD, audio, video games and software products where the item has be=
en unsealed. Please note that we are unable to accept cancellation of, or r=
eturns for, digital items once downloading has commenced. Otherwise, we can=
accept returns of complete product, which is unused and in an “as new” con=
dition.

Our Returns Support Centre will guide you through our Returns Policy and, w=
here relevant, provide you with a printable personalised return label. Ple=
ase go to http://www.amazon.co.uk/returns-support to use our Returns Suppor=
t Centre.

To cancel this contract, please pack the relevant item securely, attach you=
r personalised return label and send it to us with the delivery slip so tha=
t we receive it within 7 working days after the day of the date that the it=
em was delivered to you or, in the case of large items delivered by our spe=
cialist couriers, contact Amazon.co.uk customer services using the link bel=
ow within 7 working days after the date that the item was delivered to you =
to discuss the return.

https://www.amazon.co.uk/gp/css/returns/homepage.html

For your protection, where you are returning an item to us, we recommend th=
at you use a recorded-delivery service. Please note that you will be respon=
sible for the costs of returning the goods to us unless we delivered the it=
em to you in error or the item is faulty. If we do not receive the item bac=
k from you, we may arrange for collection of the item from your residence a=
t your cost. You should be aware that, once we begin the delivery process, =
you will not be able to cancel any contract you have with us for services c=
arried out by us (e.g. gift wrapping).

Please also note that you will be responsible for the costs of collection i=
n the event that our specialist courier service collect a large item from y=
ou to return to us.

As soon as we receive notice of your cancellation of this order, we will re=
fund the relevant part of the purchase price for that item.=20

Should you have any questions, feel free to visit our online Help Desk at:=
=20

http://www.amazon.co.uk/help

If you’ve explored the above links but still need to get in touch with us, =
you will find more contact details at the online Help Desk.=20

Note: this e-mail was sent from a notification-only e-mail address that can=
not accept incoming e-mail. Please do not reply to this message.=20

Thank you for shopping at Amazon.co.uk

————————————————-
Amazon EU S.=C3=A0.r.L.
c/o Marston Gate
Ridgmont, BEDFORD MK43 0XP
United Kingdom
————————————————-

The attached  file has the name Mail Attachment.doc and is approx.  230 kB large file.

The malicious Word file is detected as W97M/Downloader.t, W97M.DownLoader.110 or W97M.Dropper.Obfus.

At the time of writing, 4 of the 54 AV engines did detect the malicious file at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: 99077f53365f931bddb4028793f9722c25b7095ae61eae3f6b31f9d7225e8c27

Follow

Get every new post delivered to your Inbox.

Join 347 other followers