Fake email USPS Ship notification contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Ship Notification”.

This email is send from the spoofed address “USPS.com” and has the following body:

Notification

Our courier couldnt make the delivery of parcel to you at June 17 2014.
Print label and show it in the nearest post office.

Download attach . Print a Shipping Label NOW

USPS | Copyright 2014 USPS. All Rights Reserved.

Screenshot of the email:

The attached ZIP file has the name notification.zip and contains the 67 kB large file Notification_72384792387498237989237498237498.exe.

The trojan is known as Win32:Malware-gen, HW32.CDB.C647, W32/Trojan.BIFV-0857, W32/Trojan3.JCT or Trojan-Spy.Agent.

At the time of writing, 5 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: 2b920fe150ecbadc2d7befa45bc9a30e74c0e36269facfca745127d55b338977.

Fake email “Failed delivery for package #0231764″ from Canada Post contains URLs to malicious file


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Failed delivery for package #0231764″ from Canada Post regarding a failed attempt to deliver an item.

This email is send from the spoofed address “Canada Post <tracking@canadapost.com>” and has the following body:

Dear customer,

We attempted to deliver your item on Jul 2nd, 2014 , 05:44 AM.
The delivery attempt failed because no person was present at the shipping address, so this notification has been automatically sent.
You may arrange redelivery by visiting the nearest Canada Post office with the printed shipping inboice mentioned below.

If the package is not scheduled for redelivery or picked up within 48 hours, it will be returned to the sender.
TRACKING Number: RT000961269SG
Expected Delivery Date: JUL 2nd, 2014
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent

The shipping invoice can be viewed online, by visiting:
hxxp://www.canadapost.ca/cpotools/apps/track/personal/findByTrackNumber?execution=e9s1

To download the shipping invoice, visit the following link:
hxxp://www.canadapost.ca/cpotools/apps/track/personal/findInvoiceByTrackingNumber?invoice_id=RT000961269SG&action=download

Thank you,
© 2014 Canada Post Corporation

*** This is an automatically generated email, please do not reply ***

 

The first embedded URl hxxp://documents-signature.com/pdf_canpost_RT000961269SG.pdf leads to a website that shows a PDF file with a quite funny image (no offense intended):

The second embedded URL hxxp://documents-signature.com/pdf_canpost_RT000961269SG.zip leads to a malicious file pdf_canpost_RT000961269SG.zip  that contains the file pdf_canpost_RT000961269SG.pif.

The trojan is known as Backdoor.Bot or HEUR/Malware.QVM07.Gen.

At the time of writing, 2 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: e0b8d24becb65d040b9e617c31acf6926d44343807bbac2423b28beab855ba75.

Fake Amazon order and invoice detail email contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Order Details”.

This email is send from the spoofed address “delivers@amazon.com” and has the following body:

Hello,
Thank you for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.com.
Order Details
Order R:121217 Placed on May 28, 2014

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon. Amazon.com

Screenshot of the email:

The attached ZIP file has the name order_id_78362477.zip and contains the 118 kB large file order_id_7836247823678423678462387.exe.

The trojan is known as Win32:Malware-gen, Trojan.Win32.Krap.2!O, Spyware.Zbot.VXGen, PE:Malware.XPACK-HIE/Heur!1.9C48 or TROJ_GEN.F0D1H0ZFP14.

At the time of writing, 7 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: d12526fc430fa213d77f8523a89c92c5f4e0d11deacbaf5c160a16f87ed5adc3.

Fake “RechnungOnline Monat Juni 2014″ emails from Telekom Deutschland GmbH contain trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign, very similar to the previous one RechnungOnline Monat Mai 2014 campaign, by email with the subject RechnungOnline Monat Juni 2014 (Buchungskonto: 4767393428) – number may vary at the end of the subject.

This email is send from the spoofed address “Telekom Deutschland” and has the following body:

TELEKOM DEUTSCHLAND GMBH

Sehr geehrte Damen und Herren,

als Anlage ist die Rechnung 659084703763 als PDF-Anhang:
2014_06rechnung_Juni_659084703763.zip.

Der Rechnungsbetrag für Juni 2014 ergibt sich zu: 272,85 Euro.

Mit freundlichen Grüßen
Ihre Telekom

© Deutsche Telekom AG 2014 | Hilfe | Kontakt | Datenschutz | AGB | Impressum
Sie erhalten diese Systeminformation, da Sie versuchen, über eine unverschlüsselte Verbindung auf Ihr Postfach zuzugreifen.
Es handelt sich um eine aus dem System generierte Nachricht.
Sie haben eine Frage an den Kundenservice? Dann nutzen Sie bitte unser E-Mail Kontaktformular.

Screenshot of the email:

The embedded URL leads us to hxxp://wigs86.com/t-online-telekom-de from where the file with the name 2014_06rechnung_0020273640_sign.zip is downloaded. The ZIP archive contains the 93 kB large file 2014_06rechnung_0020273640_sign_telekom_deutschland_gmbh.exe.

The trojan is known as Trojan.Malware.Obscu.Gen.002, Packed.Win32.Katusha.3!O or Mal/Generic-S.

At the time of writing, 3 of the 53 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: b6151946d75e5ec00414435975457fbc9f296d327138fba88efa11dc2a0b7688.

Emails with embedded URL informationen_zum_transaktions_pdf will download malicious ZIP archive


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects like:

Ihre Zahlung an #403-R7/9469 – Bestätigung
Bestätigung Ihrer Zahlung an #74-Z1/4

This email is send from the spoofed address and has the following body:

Group Data Protection Officer Fiducia IT AG Eckhard Dorn

Der Auftrag wurde entgegengenommen.
11. Juni 2014 um 08:37:59 Uhr

Sie haben eine Zahlung über 1744,25 EUR an Edijs Snezko gesendet. Wir haben die Volksbank benachrichtigt, dass der Artikel verschickt werden kann. Alle Details zu dieser Zahlung:
2014_06_11informationen_zum_transaktions_pdf_#317-N94/3.zip.

FinanzGruppe Fiducia AG

Der Auftrag wurde entgegengenommen.
am 11. Juni 2014 um 08:57:56 Uhr

Sie haben eine Zahlung über 1725,32 EUR an Inga Wisniewska überwiesen. Wir haben den Volksbank benachrichtigt, dass der Artikel verschickt werden kann. Alle Details zu dieser Zahlung:
2014_06_11informationen_zum_transaktions_pdf_#557-B6/4965.zip.

The embedded URLs, in this case hxxp://jeitopratudo.com/wp-includes/pomo/transaktions-id-volksbanken-de and hxxp://fretsya.com/2014_06_11/transaktions-id-volksbanken-de will download the file 2014_06informationen_zum_transaktions_pdf.zip. The ZIP archive contains the 150 kB large file informationen_zum_transaktions_2014_06_10_02092083044_volksbank.exe.

The trojan is known as Trojan.Malware.Obscu.Gen.002 or HEUR/Malware.QVM20.Gen

At the time of writing, 2 of the 51 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: dcda16d7982d85597fff2a63577c939e37c1e3cedc79974f2c23ec3cfba711a2.

Fake booking.com reservation confirmation with attached ZIP file contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Reservation for Thursday, June 12, 2014 BN_4914940″ that remains almost undetected by anti virus scanners (at the time of writing only 2 of the 51 AV engines did detect the trojan at Virus Total).

This email is send from the spoofed address “Booking.com” and has the following body:

Thanks! Your reservation is now confirmed.

BOOKING.COM online hotel reservations
Booking number: 4914940
PIN Code: 6287
Email: ****@****.***
Your reservation: 1 night, 1 room
Check in: Thursday, June 12, 2014
(2:00 pm – 00:00 am)
Check out: Friday, June 13, 2014
(until 12:00 pm)
Superior Double Room $1,300.68
VAT (20%) included $449.92
Total Price $1,750.60

Screenshot of the email:

The attached ZIP file has the name BN_4914940.zip and contains the 95 kB large file report_92da3ec16736842.pdf.exe.

Please note that the numbers in the subject, message or attachment may vary with each email.

The trojan is known as PWSZbot-FXE!3B53E958ECF1  or TrojanSpy.Zbot.herw.

At the time of writing, 2 of the 51 AV engines did detect the trojan at Virus Total so be cautions with this file or the email. MX Lab recommends not top download/open the attached ZIP file in any way because virus definitions are not yet distributed accordingly. Remove the email immediately from your computer.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: 25e438be8daffc316e5d48e0efdf325ce194db90608182ebc122d77590520110.

Email notification regarding received fax message from J2 is fake and leads to malicious file on Dropbox


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Fax Message at 2014-05-06 08:55:55 EST”.

This email is send from the spoofed address “Fax Message <message@inbound.efax.com>” and has the following body:

Fax Message
You have received 7 fax page(s) at 2014-05-06 08:55:55 EST.

* The reference number for this fax is airw_byl38-1900025563-6891008917-11.
* The transmission start time for this fax is .

Click here to view this message in your web browser

Please visit http://www.j2.com/help if you have any questions regarding this message or your j2 service.
Thank you for using jConnect!

This account is subject to the terms listed in the jConnect Customer Agreement.

Screenshot of the email:

The embedded URL leads to hxxps://www.dropbox.com/meta_dl/**SHORTENED**

The downloaded ZIP file has the name Fax-932971.zip and contains the 146 kB large file Fax-932971.scr.

The trojan is known as PE:Malware.XPACK-HIE/Heur!1.9C48.

At the time of writing, only 1 of the 51 AV engines did detect the trojan at Virus Total so this is a potential risk.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: 03467f231a3fce6795545ae99a6dad161effa3bf681031693815eabf1648ee66.

Follow

Get every new post delivered to your Inbox.

Join 300 other followers