Emails “Invoice ID:248c90 in attachment.” contains Word file with malicious macro


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Invoice ID:248c90 in attachment.” (numbers will vary in each subject line and also in the attached file name). This email is send from the spoofed addresses and has no body content.

The attached file 248c90.doc is in fact an Word file with embedded macro that will download the real trojan from different hosts.

At the time of writing, 0 of the 56 AV engines did detect the malware at Virus Total.
SHA256: 0f1b5377c8dd493bfb9c9fcd980e3ef88c0c68c03abfabf813307295f38485c0

MX Lab recommends not to open the attached Word file or at least make sure that macro’s are disabled.

Fake email notification Faxtastic “Fax from +4921154767199 Pages: 1″ contains malicious Excel sheet


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Fax from +4921154767199 Pages: 1″.

This email is send from the spoofed address “faxtastic! <fax@faxtastic.co.uk>” and has the following body:

You have received a new fax. To view it, please open the attachment.

Did you know we now send? Visit http://www.faxtastic.co.uk for more details.

Regards,

faxtastic Support Team

The attached 62 kB large file 2015031714240625332.xls is in fact an Excel sheet with embedded macro that will download the real trojan from different hosts.

The malicious Excel is known as LooksLike.Macro.Malware.a (v) at Virus Total.
SHA256: 0ecabe0a7fceb2dfdce96295d0ecceca0d8e0546c976a913f0e10c819af70fc0

More information at Hybrid Analysis as well.

MX Lab recommends not to open the atteched Excel file or at least make sure that macro’s are disabled.

Attached zip file email “2015 PMQ agreement” contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “2015 PMQ agreement”.

This email is send from the spoofed address “linda@pmq.com” and has the following body:

HI

I have Not received your signed contract for the 2015 ad campaign. If you would please sign and return.

Thank you
Linda

Watch our 2015 PMQ Media Kit here: http://www.pmq.com/2015-PMQ-Media-Kit/
PMQ Pizza Magazine
Linda Green / Co-Publisher
(662)234-5481 ext 121 / linda.pmq@gmail.com
cell (662)801-5495
PMQ Pizza Magazine Office: 662-234-5481 x121 / Fax: 662-234-0665
605 Edison Street, Oxford, MS 38655
http://www.pmq.com

Don’t forget to renew your subscription to the magazine at http://www.pmq.com/Subscribe-PMQ/

The attached file American_Wholesale.zip contains the 12 kB large file American_Wholesale.exe.

The trojan is known as Trojan/Win32.Upatre, Upatre-FAAR!D8D4189A5364, Trojan.Agent/Gen-Downloader or Win32.Trojan.Downloader-pdf.Auto.

At the time of writing, 8 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: ae71d65a32303f1f129292420532be2c907d04a05c1aef9a429ecf487b578681

Fake email from Total Quality Logistics with subject “Bank reference” contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Bank Reference”.

This email is send from the spoofed address “TQL <awcco2@tqll.co.uk>” and has the following body:

Dear,

Bank form is attached. Please fill out and return at the earliest convenience.

Thank you,

Donald McCarver – Logistics Account Executive
Total Quality Logistics
Work: 800-580-3101 x54804 Cell: 630-254-3268
Always Available 24/7/365

______________________________________________________________
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Total Quality Logistics. Total Quality Logistics accepts no liability for any damage caused by any virus transmitted by this email.

The attached file Bank_Ref_(4).zip contains the 29 kB large file Bank_Ref_(4).exe.

The trojan is known as Packed.Win32.Obfuscated.10!O, Trj/Genetic.gen or Mal/Dyreza-D.

At the time of writing, 3 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 2c05cbc6bc3d63d7a3d0d452a6cd6d174531c6963ccd76f02d97342eaef763c3

Attached Zip archive with email “Invoice #: 43-32056-1, Auction : SHOPPER’S” contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Invoice #: 43-32056-1, Auction : SHOPPER’S”.

This email is send from the spoofed address”no-reply@grafeauction-mail.com” and has the following body:

Grafe Auction Company
Phone: 8003285920
Url:

Auction: SHOPPER’S
Invoice #: 43-32056-1

The attached file Invoice.zip contains the 28 kB large file Invoice.exe.

The trojan is known as W32/Upatre.E2.gen!Eldorado, W32/Upatre.E2.gen!Eldorado, Upatre-FAAR!E917CEC9A933, Artemis!Trojan, Trojan.Agent/Gen-Downloader or Win32.Trojan.Downloader-pdf.Auto.

At the time of writing, 14 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 241f92d486d849a3ba8f6588b153c1025dd4a48adce54a9905e396b7bd6695f1

Email with RA_New.zip attached contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “RA 216001″ – numbers in the subject will change with every email.

This email is send from the spoofed address “NicolaR@jhs.co.uk” and just has a standard disclaimer in the body of the email:

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.

The attached file RA_New.zip contains the 29 kB large file RA_New.exe.

The trojan is known as Win32.Trojan.Inject.Auto.

This trojan can download and install other files downloaded from the internet. It will create a process tempinst.exe on the system make connections with the following hosts op port 80:

checkip.dyndns.org
xr36rx.com
rmccontracting.com

It will request the files:

  • index.html
  • adv/honf.pdf
  • mandoc/honf.pdf

At the time of writing, 1 of the 56 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 29a6cca9ecf3007adfcc6a8e18d846630afd0b7a6636660bd26800f0a499ee3e

Fake email from RingCentral regarding voice message contains attached trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “New Voice Message from No Caller ID on 25/02/2015 at 16:25″.

This email is send from the spoofed address “”notify-uk@ringcentral.com” <notify-uk@ringcentral.com>” and has the following body:

You Have a New Voice Message

From: No Caller ID
Received: 18 December 2014 at 16:25
Length: 00:03
To: 020 3750 0638 * 302 (TAG The Automotive Group Ltd)

To listen to this message, open the attachment or use RingCentral Mobile App (download) to have instant access to all your messages on the go.

Thank you for using RingCentral.

A screenshot of the message:

The attached file NoCallerID-1218-162550-153.wav.zip contains the 70 kB large file NoCallerID-1218-162550-153h.wav.exe.

The trojan is known as UDS:DangerousObject.Multi.Generic.

At the time of writing, 1 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 843c890b197dc780ea7b3c85688b6b11f8594083d2de055dce21fd1427ec0379

Update 26/02/2015 – 11:15 (Belgian time):

Further analysis shows that his trojan will download other malware from the following locations:

hxxp://decapitated.cba.pl/java/bin.exe
hxxp://elsi.homepage.t-online.de/java/bin.exe

The trojan is known as UDS:DangerousObject.Multi.Generic, Sinowal.PDB or PE:Malware.XPACK-LNR/Heur!1.5594.

It will show a popup window on the desktop

The processes edg2.exe and edg4.exe will be created, Windows registry modifications are executed and the trojan can establsih a connection with the following IP addresses on port 80:

92.63.87.13
5.196.241.196
66.110.179.66
202.44.54.5

At the time of writing, 3 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: c56a46575f00e527844ea393c50aa58500dda94088c34489559b610200ba756b

 

Follow

Get every new post delivered to your Inbox.

Join 1,336 other followers