Fake UBS emails regarding negative bank balance leads to sites with obfuscated Javascript

April 15, 2013 Leave a comment


MX Lab, http://www.mxlab.eu, started to detect and intercept a large campaign of fake emails from UBS AG regarding a negative bank balance of €1500 on the bank account.

The SMTP from address and from address in the emails are different. On SMTP level we have addresses coming from the domain @google.com. The from addresses in the email source itself are identical as the to email addresses. Most of the emails have up to 5 recipients in the header as well.

Possible subjects are:

Attention – débit sur votre compte bancaire UBS AG d’un montant de 1500 €.
Notification de la banque UBS AG : préparation du débit en cours.
Le débit d’un montant de 1500 € sur votre compte bancaire UBS AG sera effectué dans 24 heures.
Votre compte bancaire UBS AG sera débité de 1500 €.

Body of the email:

Chère cliente/Cher client,
Suite à vos instructions, nous allons débiter un montant de 1500 ˆ.
Le retrait des fonds s’effectuera dans 1 jour ouvrable.

Veuillez vérifier les données du compte du bénéficiaire.

En vous souhaitant une agréable journée,
Jaques Dermond,
UBS AG
Le Service client
UBS AG est heureux de mettre à votre service une équipe de consultants qualifiés pour traiter vos demandes et requêtes quotidiennes.

The embedded URL leads to different web sites that hosts the file inf.html. In our case we followed hxxp://www.egnegocios.ual.pt/inf.html and this page contains a redirect to hxxp://faceliftdubai.com/news/wanting_book_switch.php. This page contains the obfuscated Javascript.

MX Lab recommends not to follow any URLs from these fake notifications.

Filed under Email security, Malware Tagged with ,

eBay information request masked as a phishing campaign

April 15, 2013 1 Comment


MX Lab, http://www.mxlab.eu, detected a  phishing campaign in the form of information requests by mail from eBay. The fake email is sent from the spoofed email address “eBay <awconfirm@aby.fr>” and has subjects in the format “Question sur l’ objet #2091501444 – Répondre maintenant”.

The body of the email lay out is typical eBay style and there is an request for more information regarding the delivery of the item when bought.

The embedded URLs, in this case hxxp://ns1.sjburns.com/bash/levante.fr/curvasa.html, leads to a web site that hosts the fake eBay login screen. The form is processed by the file ebay.php.

Afterwards, the user is redirected to the real eBay login screen with a secure https connection.

The main differences are: the disclaimer is written in French, a link to the eBay app on the top right and the Norton logo is correctly shown.

Filed under Phishing Tagged with ,

Fake emails from TNT with invoices contains new trojan in ZIP archive

April 10, 2013 2 Comments


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “TNT Express factuur 537999923; Klantnummer 569666349″ (numbers in subject and attachment name can change). The campaign is, according to the Dutch language and domain TLDs, targeting users in the Netherlands and Belgium.

The email is send from the spoofed address “eInvoicing <NL.e-invoicing@tntexpress.nl>” and has the following body:

Geachte heer, mevrouw,

Er zijn nieuwe facturen en/of creditnota’s van TNT Express Nederland beschikbaar. In de bijlage vindt U uw originele factuur.

U kunt kopieën van deze documenten en hun csv-bestanden bekijken en downloaden via onderstaande link.

http://express.tnt.com/einvoicing

Met vriendelijke groet,
Billing Department, The Netherlands
Finance & Administration, TNT Express Benelux
Email: nl.e-invoicing@tntexpress.nl

The attached ZIP file has the name TNT-NL-973919134-713692777-factuur.zip and contains the 35 kB large file TNT-NL-874490372-765987046-factuur.PDF.exe.

The trojan is known as Trojan.GenericKD.934424, Win32/TrojanDownloader.Wauchos.I, Trojan-Ransom.Win32.Blocker.babg or Trojan.Win32.Agent.AMN (A).

At the time of writing, 12 of the 46 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: d89523db16131ce7b64d68c04ce14bf617a26b5065b2f9700291a3552c1b9808.

Filed under Malware, Viruses Tagged with , , ,

Fake emails from HSBC with attached Payment_advice.zip contains trojan

March 27, 2013 3 Comments


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Payment Advice – Advice Ref:[B32454525694]“. Please note that the numbers used in the subject and mail from may vary.

The email is send from the spoofed address “payment.advice@hsbc.com.hk <payment.advice.388713670.941822.0485297616@mail.hsbc.com.hk>” and has the following body:

Sir/Madam

Upon your request, attached please find payment e-Advice for your reference.

Yours faithfully

HSBC

***************************************************************************

We maintain strict security standards and procedures to prevent unauthorised access to information about you. HSBC will never contact you by e-mail or otherwise to ask you to validate personal information such as your user ID, password, or account numbers. If you receive such a request, please call our Direct Financial Services hotline.

Please do not reply to this e-mail. Should you wish to contact us, please send your e-mail to commercialbanking@hsbc.com.hk and we will respond to you.

Note: it is important that you do not provide your account or credit card numbers, or convey any confidential information or banking instructions, in your reply mail.

Copyright. The Hongkong and Shanghai Banking Corporation Limited 2005. All rights reserved.

***************************************************************************

The attached ZIP file has the name Payment_Advice.zip and contains the 96 kB large file Payment_Advice.exe.

The trojan is known as W32/Trojan.IWRE-9169, PWS.Win32.Fareit.AMN (A), W32/Yakes.B!tr, Trojan.Agent.RVGen5.

At the time of writing, 11 of the 46 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: ea92af5486f6b8039b0f2193666ea8604d54d5cc9e7f37f7396a8b6f2baa3260.

Filed under Malware, Viruses Tagged with , , , ,

“UPS – Your package is available for pickup” email contains new trojan variant

March 26, 2013 1 Comment


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “UPS – Your package is available for pickup”.

The email is send from the spoofed address “UPS Express Services <service-notification@ups.com>” and has the following body:

The courier company was not able to deliver your parcel by your address.

Cause: Error in shipping address.

You may pickup the parcel at our post office.

Please attention!
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
UPS Logistics Services.

CONFIDENTIALITY NOTICE: This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (UPS , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies. Thank You

The attached ZIP file has the name Label_8827712794.zip and contains the 135 kB large file Label_8827712794.exe.

The trojan is known as Trojan/Win32.Zbot, PWS.Win32.Fareit.AMN (A), Trojan.Generic.KD.913977, Trojan-PSW.Win32.Tepfer.hlxl, Malware.Packer.SGX5, Mal/FakeAV-OY or TSPY_FAREIT.NF.

At the time of writing, 15 of the 46 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: b1b537f767ce0a0cbf00141f97d5f814ecb9f2ae058895c9c85b3375b7d0e59e.

Filed under Malware, Viruses Tagged with , , , , ,

Fake email from USPS with subject “Missed package delivery!” contains URL to malicious trojan

March 25, 2013 Leave a comment


MX Lab, http://www.mxlab.eu, started to intercept fake emails from USPS with subject “Missed package delivery!” that contains an embedded URL that leads to a malicious ZIP archive.

The email is send from the spoofed address “US Postal Service <tracking@usps.com>” and has the following body:

Dear client ,

We attempted to deliver your item at 07:30 am on Mar 25th, 2013.
The delivery attempt failed because nobody was present at the shipping address, so this notification has been automatically sent.
You may arrange redelivery by visiting the link below or pick up the item at the U.S. Post Office indicated on the receipt.

If the package is not scheduled for redelivery or picked up within 48 hours, it will be returned to the sender.
Label/Receipt Number: 9102901020033059728124
Expected Delivery Date: Mar 25th, 2013
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent

To download the shipping receipt, in PDF format, visit:

http://www.usps.com/go/tools/apps/track/findInvoiceByTracking.aspx?id=9102901020033059728124

To check on the delivery status of your mailing or arrange redelivery please visit the following URL:

https://tools.usps.com/go/pages/trackconfirm/quick-track.html

Thank you,
© 2013 Copyright© 2013 USPS. All Rights Reserved.

*** This is an automatically generated email, please do not reply ***

The first URL leads in this case to hxxp://bloomerstudio.com/webupdatefiles2006/pdf_usps_9102901020033059728124.zip. The attached ZIP file has the name pdf_usps_9102901020033059728124.zip and contains the 218 kB large file pdf_usps_9102901020033059728124.scr.

The trojan is known as UDS:DangerousObject.Multi.Generic, Heuristic.BehavesLike.Win32.ModifiedUPX.C or Suspicious.Cloud.5.

The trojan will create the following files:

%AppData%\Eqba\zuevu.exe
%AppData%\Roic\naev.oqi
%AppData%\Roic\naev.tmp
%AppData%\Teox\lidez.ywy
%Temp%\tmp06b23466.bat

The following directories are created:

%AppData%\Eqba
%AppData%\Roic
%AppData%\Roic

A new process is created:

zuevu.exe

Several modifications are done in the Windows Registry and the trojan will make connection with the host 249a2efd08167c5c.com on port 80.

At the time of writing, 3 of the 45 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 0be178a5033a5b2c6351736cabe78000765de8fcc094eacc17e77538aa2509ce.

Filed under Malware, Viruses Tagged with , , ,

Massive spam campaign from spoofed email address ops_invoice@adp.com

March 22, 2013 Leave a comment


MX Lab, http://www.mxlab.eu, reported yesterday a trojan distibution campaign by email with the subject “ATTN: ADP Payroll Invoice” from the spoofed email address ops_invoice@adp.com. This campaign ended at around 0500 AM local Belgian time.

Today since 0600 AM local Belgian time, MX Lab is intercepting a massive spam campaign, doubling the amount of spam that has been intercepted, from the same spoofed email address with subjects in the format “Final 77% discount for jkonokotina”. The first part of the email address is used in the subject and in the email:

Dear jkonokotina, hurry up! Only 1 day huge discount!

More than 10.000 pisl online.

BestSellers:
*** Propecia – 0.18$
*** Leivtra – 1.61$
*** Ciali – 1.78$
*** Viagr – 0.52$

Buy here hxxp://kSUo.doctorplod.ru/

All the messages contain an URL with an .ru TLD that point to an online pharmacy “Pharmacy Express” – see screenshot below.

Filed under Spam Tagged with , ,

Older posts

Follow

Get every new post delivered to your Inbox.

Join 165 other followers