Christmas malware SantasGift.exe


It is a tradition that at the end of the year new email threats emerge, more spam is going around and also for this year we expect to face new threats.

MX Lab started to intercept messages with the subject line “Jingle bells, jingle bells.. Ho ho ho Santa Claus is coming!!”. The message contains an URL that leads to a web site that hosts malware named SantasGift.exe.

The malware is known as Trojan.IRC.Zapchast-16 (ClamAV), Dropped:Backdoor.Zapchast.PI (BitDefender), Backdoor.Zapchast.PF (F-Secure) or Backdoor.IRC.Zapchast.zwrc (Kaspersky).

Virus Total permlink and MD5: ef1982df5c01b62b3fa66daa8115946e

Facebook subject to campaign that combines phishing and malware


MX Lab detected a large new campaign targetting Facebook users. The campaigns combines phishing techniques with the download of malware and a PDF exploit from the web site.

The phishing campaign has the same characteristics of the previous campaign that we have posted:

Facebook account update (part 1)
Facebook account update (part 2)

The message is being sent from the spoofed address “Facebook <update+umxlabvkqxqrig@facebookmail.com>” and has various subjects:

Facebook account update
Facebook update tool
New login system

This is the body of the phishing/malware email:

The included leads to hxxp://www.facebook.com.jjjiok.org.uk/global_directory/MyAccount.php?ref=520***&email=***@***.com.

The phishing web site contains instructions on how to update your account.

In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account.
A new Facebook Update Tool has been released for your account. Please download and install the tool using the link below:

updatetool.exe

* Do not use the same password that you use for other online accounts.
* Your new password must be at least 6 characters in length.
* Use a combination of letters, numbers, and punctuation.
* Passwords are case-sensitive. Remember to check your CAPS lock key.

Old Password:
New Password:
(required) ?
Confirm Password:
(required)

On this page you can see a web page where you need to confirm your old and new password and the download link to the file updatetool.exe that leads to hxxp://www.facebook.com.jjjiok.org.uk/global_directory/updatetool.exe.

When we have visited the first time the phishing site, an automated download was executed of the file pdf.pdf.

As expected, this PDF contains an exploit. When we submitted the PDF file for examination to Virus Total we got the names EXP/Pidief.FV (Antivir), Exploit.PDF-JS.Gen (BitDefender), Exploit.PDF-JS.Gen (GData), Exploit:Win32/Pdfjsc.CM (Microsoft) and Troj/PDFEx-CD (Sophos).

pdf.pdf:

AV detection rate: 9/40 AV engines did detected the threat
Virus Total permlink and MD5: 93cba9349ecc8fb605c7932be0cdc9c6

Updatetool.exe:

AV detection rate: 6/40 AV engines did detected the threat
Virus Total permlink and MD5: 095fe570f78c322c8e358c656816c200.

New Bredolab variant in email regarding DHL parcel delivery problems


MX Lab started to intercept new variants of Bredolab in emails regarding DHL parcel delivery problems. The emails comes from the spoofed address Manager Youg Steward <parcel@dhl-usa.com> (name is choosen randomly).

The body of the email:

Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Delivery Services.

The email has the ZIP attachment named DHL_Label_da882.zip (charachters after DHL_Label_ are choosen randomly) that contains 32 kB big file DHL_Label_da882.exe.

At the time of writing only 14 of the 40 AV engines detect the virus at Virus Total. Virus Total permlink and MD5: 2ddd08612873d8217555f6c40ae32f51.

Follow

Get every new post delivered to your Inbox.

Join 306 other followers