Fake message “Re:fаіll tо bil yoυ” is phishing email


MX Lab, http://www.mxlab.eu, started to intercept a phishing campaign with the subject “Re:fаіll tо bil yoυ 867183580″ (number may vary) from the spoofed sender “MyBell contact@hoster.by” with the following body targeting Bell customers:

Dear Customer ,

The credit card we have on file for your MyBell. Internet service was declined when we attempted

to bill you on 22/09/2014 for your most recent service fees. For this reason, your service could be suspended.

Please visit our Account Information pages, located at Click Here and update your credit card information as soon as possible.

Once your credit card information is updated, you will be charged immediately, as soon as payment is received.

Thank you for your prompt attention to this matter. We look forward to continuing to serve you.

****************************
Account ID: 65456467755
E-mail ID: 4459000
Online Session PID: 2667890
*****************************

The embedded URL leads to the site hxxp://primalsport.com.au/bell/****@****.ca (email address is included in the URL)

Fake email “Copied invoices” from cashbuild.co.za contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Copied invoices”.

This email is send from the spoofed address “kshakong@Cashbuild.co.za” and has the following body:

The attached invoices are copies. We will not be able to pay them. Please send clear invoices

______________________________________________________________________
This outbound email has been scanned by the IS Mail Control service.
For more information please visit http://www.is.co.za
______________________________________________________________________

The attached ZIP file has the name SKMBT_75114091015230.zip and contains the file SKMBT_75114091015230.exe.

The trojan is known as  Trojan.PWS.Stealer.4118, Spyware.Passwords, Trojan.Zbot.ILS, TR/Fareit.A.301, Troj/Agent-AIXF or RDN/Generic PWS.y!bbb.

At the time of writing, 24 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: e324d73b36f1fd31c53f6ae21457c2fd57f90be56dcd776efbe06b01fdaf3d5d

Fake email “Fwd: Dhl Delivery Attempt” contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Fwd: Dhl Delivery Attempt  (Invoice Documents)”.

This email is send from the spoofed address “enquiry@dhl.com” and has the following body:

We attempted to deliver your item at 17:32pm on Sept 15th, 2014.
The delivery attempt failed because nobody was present at the shipping address, so this notification has been automatically generated.
You may rearrange delivery by visiting the link on the attached document or pick up the item at the DHL depot/office indicated on the receipt attached.
If the package is not rescheduled for delivery or picked up within 48 hours, it will be returned to the sender.
Airway Bill No: 7808130095
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent
Print this label to get this package at our depot/office.
Thank you
© 2014 Copyright© 2013 DHL. All Rights Reserved.
*** This is an automatically generated email, please do not reply ***
**************** CAUTION – Disclaimer *****************
Any person receiving this email and any attachment(s) contained, shall treat the information as confidential and not misuse, copy, disclose, distribute or retain the information in any way that amounts to a breach of confidentiality. If you are not the intended recipient, please delete all copies of this email from your computer system. As the integrity of this message cannot be guaranteed, neither DHL nor any entity in the Deutsche Post Group shall be responsible for the contents. Any opinion in this email may not necessarily represent the opinion of DHL or any entity in the Deutsche Post Group

—– End forwarded message —–

—– End forwarded message —–

—– End forwarded message —–

—– End forwarded message —–

The attached ZIP file has the name DHL EXPRESS DELIVERY ATTEMPT.zip and contains the 293 kB large file DHL EXPRESS DELIVERY ATTEMPT.exe.

The trojan is known as Trojan/Win32.Necurs, a variant of Win32/Injector.BLYN, W32/Injector.GLA!tr, Backdoor.Bot or Win32.Trojan.Bp-generic.Ixrn.

At the time of writing, 6 of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: 57d37614dd81d48c25bec02f4481e1757cd7a5b84ccc31904635a51d70db1a44.

Trojan Gen:Variant.Graftor.155439 present in fake emails regarding payments


MX Lab, http://www.mxlab.eu, intercepted different campaigns were the trojan Gen:Variant.Graftor.155439 is present in the attached ZIP archive. The trojan is known as Gen:Variant.Graftor.155439 by most AV engines but it’s also known as Trojan/Win32.Zbot, HW32.Paked.1F59, Generic-FAUS!BA7599C952BE or PE:Malware.XPACK-HIE/Heur!1.9C48.

The first email comes with the subject “Re: today payment done” is send from the spoofed addresses and has the following body:

Dear sir,

Today we have able to remit the total amount of US$ 51,704.97 to your account. Details of our payments are as follows:

Cont. #41 SPV001/APR/13 US$34,299.13 – 11,748.82 (50% disc. For R008 & R016) =
Cont. #42 EXSQI013/MAY/13 US$29,154.66
——————–
Total Remittance: US$ 51,704.97

Attached is the TT copy, check with your bank and let us know when you will proceed with shipment.

Thank you very much.

Best regards,
Me

The attached ZIP file has the name swift copy.zip and contains the swift copy.scr file.

At the time of writing, 11 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: db9eb842deb7cbda56c3df7c1e198fac5f0d65d0d8ef9df2f13618d18416c686

The second email comes with the subject “Re: Balance payment ” is send from the spoofed addresses and has the following body:

The attached TT copy is issued at the request of our customer. The advice is for your reference only.

Yours faithfully,
Global Payments and Cash Management
Bank of America (BOA)

***************************************************************************

This is an auto-generated email, please DO NOT REPLY. Any replies to this
email will be disregarded.

***************************************************************************

This e-mail is confidential. It may also be legally privileged.
If you are not the addressee you may not copy, forward, disclose
or use any part of it. If you have received this message in error,
please delete it and all copies from your system and notify the
sender immediately by return e-mail.

Internet communications cannot be guaranteed to be timely,
secure, error or virus-free. The sender does not accept liability
for any errors or omissions.
***************************************************************************

The attached ZIP file has the name original copy.zip and contains the original copy.scr file.

At the time of writing, 12 of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: f7f1b10365b995c308d1cc4a3f025e5e7f249fbfee82f7bcd8297e1c5fcc1635

 

Email “My new photo ;)” contains a variant of Trojan.Win32.Swizzor.2!O trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan variant distribution campaign by email with the subject “My new photo ;)”.

This email is send from the spoofed addresses and has the following short body in very poor English:

my new photo ;)
if you like my photo to send me u photo

The attached ZIP file has the name photo.zip, once extracted a folder photo is available with that contains the 127 kB large file photo.exe.

The trojan is known as a variant of Trojan.Win32.Swizzor.2!O.

At the time of writing, 1 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: 83d322707828350ba51301b1a0d02ee0c831b88bb9722036ade2b7d8827817cb.

Fake email with attached invoice from Broad Oak Toiletries Ltd contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Invoice 733351″.

This email is send from the spoofed address “sue.mockridge@mandmkitchens.co.uk” and has the following body:

Hello,

Please can you let me have a payment date for the attached Invoice?

Kind Regards

Sue Mockridge
Accounts Administrator

‘ (Main) 01884 242626 ‘ (Direct Dial) 01884 250764

Please consider the environment before printing

Broad Oak Toiletries Ltd, Tiverton, Tiverton Way, Tiverton Business Park, Tiverton, Devon, EX16 6TG
Registered No. 1971053 England & Wales
Telephone: +44 (0) 1884 242626
Facsimile: +44 (0) 1884 242602

The attached ZIP file has the name Invoice 9921312.zip and contains the 106 kB large folder Invoice 9921312 with the file  Invoice 9921312(copy1).exe.

Note that the reference number in the subject and filenames changes with each email.

The trojan is known as HW32.Paked.C563, Fareit.HG, HEUR/Malware.QVM07.Gen, Troj/Zbot-IWZ.

At the time of writing, 5 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink or more detailed information.
SHA256: 8628887cefd581cc58ad56081ff3cabdb53ccbb98cff9c8afbd72906d4383973

Fake email “Your Online Submission for Reference 485/GB3363107 Could not process” contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Your Online Submission for Reference 485/GB3363107 Could not process” stating that a document couldn’t be processed on the The Government Gateway website. The Government Gateway is the website used to register for online government services in the United Kingdom.

This email is send from the spoofed address “gateway.confirmation@gateway.gov.uk” and has the following body:

The submission for reference 485/GB3363107 was successfully received and was not processed.

Check attached copy for more information.

This is an automatically generated email. Please do not reply as the email address is not monitored for received mail.

The attached ZIP file has the name GB3363107.zip and contains the 23 kB large file GB09122014.exe.

The trojan will create a new process on the computer: erdou.exe.

At the time of writing, 0 of the 54 AV engines did detect the trojan at Virus Total so be very careful when receiving such an email.

Use the Virus Total permalink  for more detailed information.
SHA256: 4ff1452566fc312f9630c1fa2a2250a665e1ec3602b7168e4240306b114eae84

Follow

Get every new post delivered to your Inbox.

Join 319 other followers