Fake order confirmation “Order Details” from Amazon contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Order Details”.

This email is send from the spoofed address “Amazon.co.uk ” and has the following body:

Good evening,
Thank you for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
Order Details
Order R:131216 Placed on October 09, 2014

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon. Amazon.co.uk

The 532 kB malicious file is not present in a ZIP file but attached directly and has the name order_report_72364872364872364872364872368.exe (numbers may vary).

The trojan is known as Trojan.MSIL.BVXGen, BehavesLike.Win32.Dropper.qh or Win32.Trojan.Inject.Auto.

At the time of writing, 3 of the 53 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: 17de4b7fab716f6c87b5d3c941ecb5f5b01d5e4980cff71c88451acc90b22bb0

Fake emails from DHL and Deutsche Post regarding order with Rechnung zu Ihrer Bestellung.exe in ZIP archive is trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign of fake emails from DHL and Deutsche Post regarding an order. Several different version of this email are intercepted but they all contain the file Ihrer Bestellung.exe in an attached ZIP archive.

Auftragsübersicht/Rechnung Nachsendeservice 27.10.2014

This email is send from the spoofed address “avis@dhl.com”, with the reply address “Gutscheine@deutschepost.de”, has the subject “Auftragsübersicht/Rechnung Nachsendeservice 27.10.2014″ and has the following body:

Sehr geehrte Damen und Herren,

herzlichen Dank für Ihre Internet-Beauftragung NACHSENDESERVICE für Briefsendungen. Der Rechnungsbetrag in Höhe von 24,60 € (siehe anhängende Datei)

Mit freundlichen Grüßen
Ihr Deutsche Post Online-Team

The attached ZIP file has the name Rechnung_zu_Ihrer_Bestellung.zip.

Ihr DHL Paket 9234500900001 wurde bei Ihrem Nachbarn hinterlegt

This email is send from the spoofed address “trackandtrace@deutschepost.de”, with a reply to address “datenschutz@dhl.de”, has the subject “Ihr DHL Paket 9234500900001 wurde bei Ihrem Nachbarn hinterlegt” and has the following body:

Guten Tag,

Ihre Internet-Beauftragung NACHSENDESERVICE für Briefsendungen finden Sie im Anhang.

Freundlich grüßt Sie
Ihre Deutsche Post

The attached ZIP file has the name Rechnung_zu_Ihrer_Bestellung.zip.

Vielen Dank für Ihre Internet-Beauftragung NACHSENDESERVICE für Briefsendungen vom 24.10.2014.

This email is send from the spoofed address “avis@dhl.com”, has the subject “Vielen Dank für Ihre Internet-Beauftragung NACHSENDESERVICE für Briefsendungen vom 24.10.2014.” and has the following body:

Sehr geehrte Kundin!

vielen Dank für Ihre Internet-Beauftragung NACHSENDESERVICE für Briefsendungen Deutsche Post eFiliale – Ihre Postfiliale im Internet

Herzliche Grüße,
Ihre Postfiliale im Internet

The attached ZIP file has the name RG64575763D875673.zip.

Statusbenachrichtigung zu dem Paket OTTO mit der Sendungsnummer 9234500900001

This email is send from the spoofed address “paket@dhl.de”, with a reply address to “contact@deutschepost.de”, has the subject “Statusbenachrichtigung zu dem Paket OTTO mit der Sendungsnummer 9234500900001″ and has the following body:

Liebe Kundin, lieber Kunde,

Ihre Bestellung ist jetzt abgeschlossen. (siehe anhängende Zip-Datei)

Mit freundlichen Grüßen,
Ihre Postfiliale im Internet

The attached ZIP file has the name RG64575763D875673.zip.

All the ZIP archives have the file 295 kB large file Rechnung zu Ihrer Bestellung.exe enclosed.

The trojan is known as Troj.Dropper.W32.Injector, W32/Trojan.RSBA-6758, W32/Trojan3.LRO,  Troj/Agent-AJPG or TR/Bublik.A.82.

At the time of writing, 7 of the 54 AV engines did detect the trojan at Virus Total.

Details of the emails like the spoofed senders address, subject and contents ma vary at any time.

Use the Virus Total permalink for more detailed information.
SHA256: b4e898a19c81e11ad35aa0fae84e4c316888e1eda6f2b42224c8e7def43adcfd

Fake email regarding Bitstamp new banking details contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “New bank details”.

This email is send from the spoofed address “”Bitstamp.net” <no_reply@bitstamp.net>”, while the real SMTP sender is AmericanExpress@welcome.aexp.com, and has the following body:

New banking details

Dear Bitstamp clients,

We would like to inform you that Bitstamp now has new bank details, please check attached file.

We would like to assure those of you who sent deposits to our old details that our old IBAN is still active and your transfers, if otherwise sent with correct information, should arrive without a problem.

Please note that SEPA transfers usually take 1 to 3 business days to arrive and would kindly ask those waiting for your SEPA transfers longer than usually to please send us a transfer confirmation so that we can examine our bank account log and locate your transfers.

Also for those waiting on deposits we ask for your patience; we have accumulated a long list of transfers which lack information or contain wrong information which means we need to manually go through all of them instead of our system sorting them automatically.

Best regards
CEO, Nejc Kodrič
Bitstamp LIMITED

The attached ZIP file has the name bank details.zip and contains the 24 kB large file bank details.scr.

The trojan is known as Troj.W32.Gen, a variant of Win32/Kryptik.COEK, HEUR/QVM20.1.Malware.Gen or Mal/Generic-S.

At the time of writing, 4 of the 53 AV engines did detect the trojan at Virus Total. Now, MX Lab has also intercepted some emails without the malicious attachment but be aware that this email is a risk.

Use the Virus Total permalink for more detailed information.
SHA256: 83fc76ba29762e28fc80c08085003b811a1fa3eae51635f99ff35b4022fd1769

Fake email from the Pegler Yorkshire Group regarding a daily report contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “FW: Daily report” that is supposed to come from the Pegler Yorkshire Group, a British manufacturer of valves and engineering products.

This email is send from the spoofed address “Ian Howarth <Ian.Howarth@pegleryorkshire.co.uk>” and has the following body:

Please review attached document.

—————————-

http://www.pegleryorkshire.co.uk

Head Office| St. Catherine’s Avenue, Doncaster, South Yorkshire, DN4 8DF, England.

Registered in England Company No. 00401507, Registered Office| Pegler Yorkshire Group Limited, St. Catherine’s Avenue, Doncaster, South Yorkshire, DN4 8DF, England. An Aalberts Industries Company.

DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Any views/opinions expressed in this email are solely those of the author and not of the company. The company may monitor communications for business purposes. Copyright in this email belongs to Pegler Yorkshire Group Limited, ALL RIGHTS RESERVED. This e-mail has been scanned for all known viruses by our systems however the company accepts no liability for any damage caused by any virus transmitted by this email.
—————————-

The attached ZIP file has the name F44907162.zip and contains the 22 kB large file F44907162.scr (note: numbers may vary).

The trojan is known as Troj.W32.Gen or HEUR/QVM20.1.Malware.Gen.

At the time of writing, 2 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: c9189ab85dcb7782bd048d1b91b6c2c414d6f7e7197f1e7a11189a92ad43c9f7

UPDATE 21/10/2014 12:20:

The same trojan is also being distributed by email with other content then mentioned above. This is an example that is supposed to come from the company 888 Publishing Ltd and has the same subject line “FW: Daily report”. So we might expect to see more similar emails but with different content.

Please review attached document.
Kind regards,

Carrie Lancaster – Editor
carrie.lancaster@biopharma-asia.com
logo

888 Publishing Ltd
6 Mitre Passage
Greenwich Peninsula
London
SE10 0ER
United Kingdom

T: +44 (0) 203 440 7106
F: +44 (0) 203 440 7115
W: http://www.biopharma-asia.com
CO#: 08048039
Find Us Online
FacebookTwitterGoogle+Linkedin

This message and any files transmitted with it are the property of 888 Publishing Ltd, are confidential, and are intended solely for the use of the person or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please contact the sender and delete his message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited.

Fake Fidelity email “401k June 2014 Fund Performance and Participant Communication” contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “401k June 2014 Fund Performance and Participant Communication” regarding a Fidelity fund performance report.

This email is send from the spoofed address “Cora Mccracken <CoraMccracken@fidelity.com>” and has the following body, see below. Note that the subject speaks regarding a report for June while the body of the email and attached ZIP archive are using October so I assume that this is a small mistake.

Co-op 401k Plan Participants -

Attached you will find the October 2014 401k fund performance results as well as an informational piece regarding online calculators available on the website.

If you are a facility manager, please forward, print or post a copy of these pages on your bulletin board or in a conspicuous place where your employees can see them.

Please contact me if you have any questions.

Cora Mccracken

Employee Benefits/Plan Administrator

615.793.3210

The attached ZIP file has the name October-2014-401k-Fund.zip and contains the 23 kB large file October-2014-401k-Fund.scr.

The trojan is known as Win32.Malware!Drop, W32/Trojan3.LNK, Trojan.Upatre.100, W32/Trojan.DXKV-8011 or Win32/TrojanDownloader.Waski.A.

At the time of writing, 12 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: 782d490bedb9e65bb1640a4d08e0e3debe2c11b270415aeb8bbfb83377469a3b

Latest email “my new photo ;)” contains a new trojan variant


MX Lab, http://www.mxlab.eu, started to intercept a new trojan new variant distribution campaign by email with the subject “my new photo ;)”.

This type of campaign is current running for some time now, see other blog articles on the 26th September, 16th September, 5th September and 22nd August 2014, and still appears in the wild with a very low detection rate by anti virus engines:

This email is send from the spoofed email addresses and has the following short body:

my new photo ;)

The attached ZIP file has the name photo.zip, once extracted a folder photo is available with that contains the 57 kB large file photo.exe.

The trojan is known as a variant of HEUR/QVM03.0.Malware.Gen or Win32:Malware-gen.

At the time of writing, 2 of the 53 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: 83912dc14a7de0ae2dbc6f12f2a5dbb54e2d94861ec6214163eaa2031df1b9b5.

 

Fake email Adobe Invoice, regarding an Adobe Creative Cloud Service invoice, contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Adobe Invoice” which is quite similar to a previous malicious campaign but in that case a Word document was used.

This email is send from the spoofed address “Adobe Billing <billing@adobe.com>” and has the following body:

Dear Customer,

Thank you for signing up for Adobe Creative Cloud Service.

Attached is your copy of the invoice.
Thank you for your purchase.

Thank you,
The Adobe Team
Adobe Creative Cloud Service

Screenshot:

The attached ZIP file has the name adb-102288-invoice.zip and contains the 117 kB large file c3.exe.

The trojan is known as PE:Malware.FakePDF@CV!1.9C3A or Win32.Trojan.Inject.Auto.

At the time of writing, 2 of the 53 AV engines did detect the trojan at Virus Total so be careful when handling this email.

Use the Virus Total permalink for more detailed information.
SHA256: 39475a931af23d7d61e2898bcd2e5f69f8e6770848a306980ea8ef6dcfc2bc08

Follow

Get every new post delivered to your Inbox.

Join 341 other followers