New trojan variant comes in multiple formats from the SMTP sender fraud@aexp.com and servcies@citibank.com


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email that comes in multiple formats.

The trojan is known ad Trojan.Agent.ED or Trojan.Agent.ED and is detected by only 2 of the 48 engines at Virus Total.

In all cases, the trojan can produce outbound traffic and can download other files from the internet.

The system process hhcbrnaff.exe is created and several Windows registry modifications are perfomed.

The trojan can make connections with tristacey.com on port 443 (an HTTPS protocol port) and will connect as user “tristacey.com” with the password “tristacey.com”.

Virus Total permalink and SHA256: 298f7ccc398d150729ff9a6905f68b0fae93822bcd3b2f8293332a7d63733827.

IMPORTANT – NatWest Secure Message

This email has the subject “IMPORTANT – NatWest Secure Message”, is send from the spoofed address “NatWest.co.uk <secure.message@natwest.co.uk>” (note: on the SMTP level the from address is fraud@aexp.com) and has the following body:

You have received a secure message

Read your secure message by opening the attachment, SecureMessage.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 6101.

First time users – will need to register after opening the attachment.
About Email Encryption -

The attached ZIP file has the name SecureMessage.zip and contains the 23 kB large file SecureMessage.exe.

Important – attached form

This email has the subject “IMPORTANT – NatWest Secure Message”, is send from the spoofed address “Maxine_Egan <Maxine_Egan@rbs.co.uk>” (note: on the SMTP level the from address is fraud@aexp.com) and has the following body:

Check attached form.

Maxine_Egan
Portfolio Manager
Commercial Banking Support
Thames Gateway Commercial Office
2nd Floor, Riverbridge House, Anchor Boulevard,
Crossways, Dartford, Kent DA2 6SL
Depot Code 023

Tel: 01322 505073
Fax: 01322 859462
email: Maxine_Egan@rbs.co.uk
Supporting your business ambitions – http://www.natwest.com/ahead

This information is classified as Confidential unless otherwise stated.

The Royal Bank of Scotland plc, Registered in Scotland No. 90312. Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB

Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.

This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer. Internet e-mails are not necessarily secure. The Royal Bank of Scotland plc does not accept responsibility for changes made to this message after it was sent. The Royal Bank of Scotland plc may monitor e-mails for business and operational purposes. By replying to this message you give your consent to our monitoring of your email communications with us.

Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by The Royal Bank of Scotland plc in this regard and the recipient should carry out such virus and other checks as it considers appropriate.

The attached ZIP file has the name RBS_Docs_hp.digital8.zip and contains the 23 kB large file RBS_Docs_10072013.exe.

Case Q7B8Z6WJNZAFF8G

This email has the subject “IMPORTANT – NatWest Secure Message”, is send from the spoofed address “Companies House <webfiling@companieshouse.gov.uk>” (note: on the SMTP level the from address is service@citibank.com) and has the following body:

This message has been generated in response to the company complaint submitted to Companies House WebFiling service.

(CC01) Company Complaint for the above company was accepted on 07/10/2013.

The submission number is Q7B8Z6WJNZAFF8G

Please quote this number in any communications with Companies House.
All WebFiled documents are available to view / download for 10 days after their original submission. However it is not possible to view copies of accounts that were downloaded as templates.

Not yet filing your accounts online? See how easy it is…

Note: reference to company may also include Limited Liability Partnership(s).

Thank you for using the Companies House WebFiling service.

Service Desk tel +44 (0)303 1234 500 or email enquiries@companieshouse.gov.uk

Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.

The attached ZIP file has the name Case_Q7B8Z6WJNZAFF8G.zip and contains the 23 kB large file Case_07102013.exe.

Note that the number/letter combination in the subjects, body of the emails and naming of the attached files can change.

7 Responses to New trojan variant comes in multiple formats from the SMTP sender fraud@aexp.com and servcies@citibank.com

  1. Chris Morris says:

    Just had this purporting to come from Companies House, UK. Well documented with Company name right and everything

  2. Got pretty much the same but purporting to come from vodaphone. Slickly produced. Zip file attached. Message headers show the fraud@aexp.com address

  3. Pete Morgan says:

    I have had this purporting to come from Companies House, Vodafone, Fedex, Lloyds TSB and a host of other companies. The Companies House one in particular is very slick.

  4. Simon King says:

    Been receiving this for 4 days now, thankfully all blocked, totaling over 1000 received. All from fraud@aexp.com

  5. Marcus says:

    I have the similar emails coming in, (headers show fraud@aexp.com) but it claims to be from my domain (Administrator(at)*my domain*.ca)

    • Karen says:

      I just received the same, once from my email address at my domain, and again as administrator at my domain. We own our domain and it is our personal one so it isn’t associated with any commercial sites. The first one had a zip file, the second one said it had outlook settings. I notified my hosting service of this so hopefully they can block it from getting through anymore.

  6. Mark says:

    This came to me as instructions for updating Outlook with new settings. The supposed sender was “Administrator@ca.rr.com.” My e-mail address is xxxx@ca.rr.com (Time Warner Road Runner).

Follow

Get every new post delivered to your Inbox.

Join 314 other followers

%d bloggers like this: