Fake email with subject “Direct Debiting Seminar Invite” from employee of Natwest contains trojan
November 4, 2013 17 Comments
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Direct Debiting Seminar Invite”
This email is send from the spoofed address “BBB <email@example.com>” and has the following body:
Please find attached the above, which I thought that you maybe interested in attending.
Senior Relationship Manager
1 St Paul’s Place
121 Norfolk Street
Sheffield S1 2JF
Telephone: 0114 2066516
Fax: 0114 2723130
Mobile: 07801 194982
National Westminster Bank Plc, Registered in England No. 929027. Registered Office: 135 Bishopsgate, London EC2M 3UR.
Authorised and regulated by the Financial Services Authority.
This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer.
Internet e-mails are not necessarily secure. National Westminster Bank Plc does not accept responsibility for changes made to this message after it was sent. National Westminster Bank Plc may monitor e-mails for business and operational purposes. By replying to this message you give your consent to our monitoring of your email communications with us.
Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by National Westminster Bank Plc in this regard and the recipient should carry out such virus and other checks as it considers appropriate.
The attached ZIP file has the name invitation5549DA0FBCA8A4A69EB.zip and contains the 95 kB large file invitation.exe.
The trojan is known as UDS:DangerousObject.Multi.Generic.
This trojan has the capability to download other files from the internet.
It will create a file %Temp%\104125.bat and modify some Windows registry values.
The trojan will make a connection with the following hosts to read the file:
Files are also being downloaded from:
MX Lab managed to download the file 0411.exe which is approx. 340 kB large. Analysis at Virus Total shows that this file is not detected as a threat yet.
This new file will create a process yqur.exe on the infected system, cteate a new memory page in the address space of the system process(es) cmd.ex, modifies some Windows registry values and can download/connect to other hosts.
At the time of writing, 1 of the 47 AV engines did detect the trojan at Virus Total.