Oficla trojan in emails with subject “Scan from a Xerox WorkCentre Pro”


MX Lab intercepted some emails with the subject “Scan from a Xerox WorkCentre Pro N 6204257″ that contains the latest Oficla trojan variant. The emails are sent from a spoofed email address and contains a subject in one of the following formats:

Scan from a Xerox WorkCentre Pro N 6204257
Scan from a Xerox WorkCentre Pro #866521

The email targets business users. It is quite common that an office print and scan center like a Xerox machine will send a scanned document by email to a recipient.

The body of the email:

Please open the attached document. It was scanned and sent to you using a Xerox
WorkCentre Pro.

Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]

WorkCentre Pro Location: machine location not set
Device Name: XRX6150AA7ACDB45706461

For more information on Xerox products and solutions, please visit

http://www.xerox.com

The email contains a ZIP archive named XeroxN6204257.zip with the 32 kB large document Xerox_doc.exe inside. Note that the number of the ZIP archive matches the number in the subject line and will be different with each email.

The trojan is known as Gen:Variant.Oficla.4 (F-Secure, GData, NSecure) or W32/Oficla.AP (Authentium).

The following files will be created:

%Temp%\1.tmp
%System%\thxr.wgo
%Temp%\2.tmp
%System%\svrwsc.exe

The following directories are created:

%CommonAppData%\Microsoft\OFFICE
%CommonAppData%\Microsoft\OFFICE\TEMP

The Windows service SvrWsc – Windows Security Center Service with the filename %System%\svrwsc.exe will be stopped. Do not be fooled, the Windows Security Center Service is a malicious service and has nothing to do with the legitimate service Security Center from Windows .

Several Windows registry changes will be exectued and the trojan can establish connection with the following IPs on port 80:

80.74.132.218
91.212.127.40
91.216.215.66

Data can be obtained from following URLs:

  • hxxp://www.kollo.ch/images/cgi.exe
  • hxxp://musiceng.ru/music/forum/index1.php
  • hxxp://hulejsoops.ru/images/bb.php?v=200&id=465538349&b=avpsales&tm=1
  • hxxp://hulejsoops.ru/images/bb.php?v=200&id=465538349&tid=26&b=avpsales&r=1&tm=1

At the time of writing, only 6 of the 41 AV engines did detect the trojan at Virus Total. Virus Total permlink and MD5: 1d378a6bc94d5b5a702026d31c21e242.

One Response to Oficla trojan in emails with subject “Scan from a Xerox WorkCentre Pro”

  1. lisa says:

    i have received 3 of these in less than 24 hrs, i am not a business user, i thought they were dodgy, so haven’t opened them, avg hasn’t detected anything, then avg never does detect anything wrong with emails

Follow

Get every new post delivered to your Inbox.

Join 317 other followers

%d bloggers like this: