Malicious Word file in emails INV420354K Duplicate Payment Received


MX Lab, http://www.mxlab.eu, started to intercept a large campaign by email with the subject “INV420354K Duplicate Payment Received” (numbers may vary) that contains a malicious Word file

This email is send from the spoofed addresses and has the following body:

Good afternoon,

I refer to the above invoice for which we received a bacs payment of £669.62 on 10th November 14. Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.

I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer. If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details.

If you have any queries regarding this matter, please do not hesitate to contact me.

I look forward to hearing from you .

Many thanks
Margie Wright
Accounts Department

The attached file is named De_420354K.doc (numbers may vary) and is a malicious Word file that will make use of macros to infect a computer with other malicious files.

This threat is currently not detected by any of the 54 anti virus engines at Virus Total. Info can be found on Virus Total and SHA256 is ea85382435cf26e8066780b7115e4beef78caa0e8766bff324ff19e216496e4b.

Voice Message emails contains security threat


MX Lab, http://www.mxlab.eu, started to intercept a large campaign by email with the subject “Voice Message #0768384921 (numbers may vary)” and is continuation of the previous campaign targeting RBS customers.

This email is send from the spoofed address “Message Admin <martin.smith@essex.org.uk>” and has the following body:

Voice redirected message

hxxp://crcmich.org/bankline/message.php
Sent: Thu, 13 Nov 2014 11:54:24 +0000

The embedded URL in our sample leads to hxxp://crcmich.org/bankline/message.php. This will open up and HTML document with an integrated Javascript script that will make use of ActiveXObject or a regular HTTP request, opens up a download in order to open and/or save the malicious file as instructed.

Fake email regarding new secure message from BankLine that targets RBS customers


MX Lab, http://www.mxlab.eu, started to intercept fake emails regarding a new secure message from BankLine  that targets RBS customers.

The subject line is “You have received a new secure message from BankLine#24802254″ his email is send from the spoofed address “Bankline <secure.message@bankline.com>” and has the following body:

You have received a secure message.

Read your secure message by following the link bellow:

link

—————-
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 1196.

First time users – will need to register after opening the attachment.
About Email Encryption – http://www.rbs.co.uk/corporate/electronic-services/g2/datalink.ashx

The embedded URL in our sample leads to hxxp://vsrwhitefish.com/bankline/message.php. This will open up and HTML document with an integrated Javascript script that will make use of ActiveXObject or a regular HTTP request, opens up a download in order to open and/or save the malicious file as instructed.

Fake “Ihre Telekom Mobilfunk RechnungOnline Monat November 2014″ emails leads to malware


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Ihre Telekom Mobilfunk RechnungOnline Monat November 2014 Nr. 50662087582088″.

This email is send from the spoofed address “Telekom <info@********.com>” and has the following body:

Sehr geehrte Kundin,
sehr geehrter Kunde

Im Anhang finden Sie die gewünschten Dokumente und Daten zu Ihrer Telekom Mobilfunk RechnungOnline für Geschäftskunden vom Monat November,
Download (Ihre Telekom Mobilfunk RechnungOnline für Geschäftskunden 9903599055 vom 07.11.2014 des Kundenkontos 8323990355).

Mit freundlichen Grüßen,
Geschäftskundenservice

Telekom Deutschland GmbH
Aufsichtsrat: Timotheus Höttges Vorsitzender
Geschäftsführung: Niek Jan van Damme Sprecher, Thomas Dannenfeldt, Thomas Freude, Michael Hagspihl, Dr. Bruno Jacobfeuerborn, Dietmar Welslau, Dr. Dirk Wössner
Eintrag: Amtsgericht Bonn, HRB 59 19, Sitz der Gesellschaft Bonn
USt-Id.Nr.: DE 794100576531
WEEE-Reg.-Nr.: 367557846100

In this sample, the embedded URL takes us to hxxp://cnibrewards.ca/UE7MphqL where we download the file 2014_11rechnung_K4768955881.zip that contains the 226 kB large file 2014_11rechnung_K4768955881_pdf_sign_telekom_de_deutschland_gmbh.pdf.exe.

Numbers in the subject and/or file name may vary.

The trojan is known as Gen:Variant.Strictor.68477, HW32.Packed.4F7E, PE:Malware.XPACK-HIE/Heur!1.9C48 or Win32.Trojan.Bp-generic.Ixrn.

At the time of writing, 9 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: 5d728f4cd2051cf270a704e9f04735fbd8e9c208a01a2c2665ddc5a87e572aa1

W97M/Downloader.t threat attached as Word file to fake emails from Amazon regarding dispatched order


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Your Amazon.co.uk order has dispatched (#203-2083868-0173124)”.

This email is send from the spoofed address “”Amazon.co.uk” <auto-shipping@amazon.co.uk>” and has the following body:

Dear Customer,

Greetings from Amazon.co.uk,

We are writing to let you know that the following item has been sent using Royal Mail.

For more information about delivery estimates and any open orders, please visit: http://www.amazon.co.uk/your-account

Your order #203-2083868-0173124 (received November 5, 2014)

Your right to cancel:
At Amazon.co.uk we want you to be delighted every time you shop with us. O=
ccasionally though, we know you may want to return items. Read more about o=
ur Returns Policy at: http://www.amazon.co.uk/returns-policy/

Further, under the United Kingdom’s Distance Selling Regulations, you have =
the right to cancel the contract for the purchase of any of these items wit=
hin a period of 7 working days, beginning with the day after the day on whi=
ch the item is delivered. This applies to all of our products. However, we =
regret that we cannot accept cancellations of contracts for the purchase of=
video, DVD, audio, video games and software products where the item has be=
en unsealed. Please note that we are unable to accept cancellation of, or r=
eturns for, digital items once downloading has commenced. Otherwise, we can=
accept returns of complete product, which is unused and in an “as new” con=
dition.

Our Returns Support Centre will guide you through our Returns Policy and, w=
here relevant, provide you with a printable personalised return label. Ple=
ase go to http://www.amazon.co.uk/returns-support to use our Returns Suppor=
t Centre.

To cancel this contract, please pack the relevant item securely, attach you=
r personalised return label and send it to us with the delivery slip so tha=
t we receive it within 7 working days after the day of the date that the it=
em was delivered to you or, in the case of large items delivered by our spe=
cialist couriers, contact Amazon.co.uk customer services using the link bel=
ow within 7 working days after the date that the item was delivered to you =
to discuss the return.

https://www.amazon.co.uk/gp/css/returns/homepage.html

For your protection, where you are returning an item to us, we recommend th=
at you use a recorded-delivery service. Please note that you will be respon=
sible for the costs of returning the goods to us unless we delivered the it=
em to you in error or the item is faulty. If we do not receive the item bac=
k from you, we may arrange for collection of the item from your residence a=
t your cost. You should be aware that, once we begin the delivery process, =
you will not be able to cancel any contract you have with us for services c=
arried out by us (e.g. gift wrapping).

Please also note that you will be responsible for the costs of collection i=
n the event that our specialist courier service collect a large item from y=
ou to return to us.

As soon as we receive notice of your cancellation of this order, we will re=
fund the relevant part of the purchase price for that item.=20

Should you have any questions, feel free to visit our online Help Desk at:=
=20

http://www.amazon.co.uk/help

If you’ve explored the above links but still need to get in touch with us, =
you will find more contact details at the online Help Desk.=20

Note: this e-mail was sent from a notification-only e-mail address that can=
not accept incoming e-mail. Please do not reply to this message.=20

Thank you for shopping at Amazon.co.uk

————————————————-
Amazon EU S.=C3=A0.r.L.
c/o Marston Gate
Ridgmont, BEDFORD MK43 0XP
United Kingdom
————————————————-

The attached  file has the name Mail Attachment.doc and is approx.  230 kB large file.

The malicious Word file is detected as W97M/Downloader.t, W97M.DownLoader.110 or W97M.Dropper.Obfus.

At the time of writing, 4 of the 54 AV engines did detect the malicious file at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: 99077f53365f931bddb4028793f9722c25b7095ae61eae3f6b31f9d7225e8c27

Fake Dutch emails from Intrum Justitia contain Word document with malicious macro


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the the following subjects:

Den Haag – Intrum Incasso
Den Haag Incasso Nederland.
INCASSO NEDERLAND.
*INCASSO* NEDERLAND.

This email is send from the spoofed address “TELECOM <bdiu@inkasso.nl>” and has the following body:

Welkom bij Intrum Justitia.

Dossierinformatie

Naam opdrachtgever TELECOM B.V.
Status dossier Lopend
Behandelaar bij Intrum Justitia Afdeling Schuldbewaking
Telefoonnummer behandelaar 070 – 356 9220

Hier kunt u inloggen om uw aanmaning online te bekijken.
U ziet meteen de gegevens van uw aanmaning en u kunt direct via iDeal betalen. Daarnaast is het mogelijk om online te reageren of uw gegevens te wijzigen.
Het online reageren bevordert een vlotte behandeling van uw reactie. Ook vindt u diverse links die u kunnen helpen met informatie over schulden, betalingen en algemene voorwaarden. Staan er geen inloggegevens op uw aanmaning?
Neem dan contact op via het telefoonnummer in de brief.

Originele hoofdsom:

Vestigingsadres:

Johan de wittlaan 65
5467 JR Den Haag

The attached ZIP file has the name Order5611041107.zip and contains the 112 kB large file Order5611041107.doc. the numbers may vary and in some samples, the malicious Word document is attached directly in the email itself.

The malicious file is recognised as Troj/DocDl-AX or TROJ_MDROP.PR.

The Word document contains a macro that will download other malicious programs on the computer.

At the time of writing, 2 of the 53 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: 25129e0663910755e0daf8eec9319637e4e351ed979dcd86a462577e837f6563

Fake order confirmation “Order Details” from Amazon contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Order Details”.

This email is send from the spoofed address “Amazon.co.uk ” and has the following body:

Good evening,
Thank you for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
Order Details
Order R:131216 Placed on October 09, 2014

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon. Amazon.co.uk

The 532 kB malicious file is not present in a ZIP file but attached directly and has the name order_report_72364872364872364872364872368.exe (numbers may vary).

The trojan is known as Trojan.MSIL.BVXGen, BehavesLike.Win32.Dropper.qh or Win32.Trojan.Inject.Auto.

At the time of writing, 3 of the 53 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: 17de4b7fab716f6c87b5d3c941ecb5f5b01d5e4980cff71c88451acc90b22bb0

Follow

Get every new post delivered to your Inbox.

Join 346 other followers