Fake email Adobe Invoice, regarding an Adobe Creative Cloud Service invoice, contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Adobe Invoice” which is quite similar to a previous malicious campaign but in that case a Word document was used.

This email is send from the spoofed address “Adobe Billing <billing@adobe.com>” and has the following body:

Dear Customer,

Thank you for signing up for Adobe Creative Cloud Service.

Attached is your copy of the invoice.
Thank you for your purchase.

Thank you,
The Adobe Team
Adobe Creative Cloud Service

Screenshot:

The attached ZIP file has the name adb-102288-invoice.zip and contains the 117 kB large file c3.exe.

The trojan is known as PE:Malware.FakePDF@CV!1.9C3A or Win32.Trojan.Inject.Auto.

At the time of writing, 2 of the 53 AV engines did detect the trojan at Virus Total so be careful when handling this email.

Use the Virus Total permalink for more detailed information.
SHA256: 39475a931af23d7d61e2898bcd2e5f69f8e6770848a306980ea8ef6dcfc2bc08

Malicious Adobe Invoice.doc attached to fake emails Adobe Creative Cloud Service invoice


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Adobe Invoice”.

This email is send from the spoofed address “Adobe Billing <billing@adobe.com>” and has the following body:

Dear Customer,

Thank you for signing up for Adobe Creative Cloud Service.

Attached is your copy of the invoice.
Thank you for your purchase.

Thank you,
The Adobe Team
Adobe Creative Cloud Service

Screenshot of the email:

The attached file is 42 kB large and has the name Adobe Invoice.doc.

The trojan is known as W97M.Dropper.F, VBA/TrojanDownloader.Agent.AZ, MSOffice/Agent!tr or Win32.Trojan.Macro.Dxmz.

At the time of writing, 4 of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: 55f06751b22dd5c17bcce7ab9e9da59dcabd3840ab089fe8b800c8aebbf1f3f5

Trojan attached in fake emails regarding license key from Adobe


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the following subjects:

Download your adobe software
Download your license key
Thank you for your order
Your order is processed

This email is send from the spoofed address “Adobe Software <soft@adobes.com>”, “Adobe Software <support@adobes.com>”, “Adobe <software@adobes.com>”, “Adobe Software <your_order@adobes.com>” or similar and has the following body:

Hello.

Thank you for buying Director 11.5 software.
Your Adobe License key is in attached document below.

Adobe Systems Incorporated.

Hello.

Thank you for buying Creative Suite 6 Master Collection software.
Your Adobe License key is in attached document below.

Adobe Systems Incorporated.

Order Notification.

Thank you for buying Adobe Connect software.
Your Adobe License key is in attached document below.

Adobe Systems Incorporated.

The attached ZIP file has the name License_Key_OR8957.zip and contains the 209 kB large file License_Key_Document_Adobe_Systems_Incorporated.exe.

The trojan is known as Win32:Malware-gen, W32/Trojan.BDDH-7155, W32/Trojan3.GVP, Trojan-Downloader.Win32.Dofoil.rqh or Artemis!30AAE526F5C4.

At the time of writing, 11 of the 45 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: a6cb6905775a7c4995222b3d91e7513a405d0cd183b7106dd713e720b2a4762a.

New trojan variant with Adobe Software Critical Upgrade Notification emails


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with subjects similar to:

Adobe Software Critical Upgrade Notification ID: M29MGJW7CN3
Adobe Systems Software Critical Upgrade Notification ID: 6974438831048
Adobe Acrobat: Upgrade Needed, Tue, 6 Dec 2011 15:08:48 +0100

The email is send from the spoofed address “Adobe Update Notification <no-reply@adobe.com>”  and has the following body:

Hello Dear,

Adobe is pleased to announce new version upgrades for Adobe Acrobat Reader and Adobe X Suite
Advanced features include:

- Collaborate across borders
– Create rich, polished PDF files from any application that prints
– Ensure visual fidelity
– Encrypt and share PDF files more securely
– Use the standard for document archival and exchange

To upgrade and enhance your work productivity today please open attached file.

Copyright 2011 Adobe Systems Incorporated. All rights reserved.
TrackNum: C0RCKD-7363931

Adobe Systems Incorporated,
Tue, 6 Dec 2011 13:21:16 -0300

The attached ZIP file has the name AdobeSystems-Software_Critica Update_Dec_2011-ELA6L7G9D.zip and contains the 200 kB large file Adobe Systems Software Critical Update Dec 2011.exe.

The trojan is known as PWS-Zbot.gen.hb (McAfee), PWS:Win32/Zbot.gen!Y (Microsoft), W32/Zbot.YFP (Norman).

At the time of writing, only 5 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 2cf8db09963b2077e42aeb1d644b160f.

Adobe Acrobat Reader update notification comes with malware


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Adobe Acrobat: Upgrade Needed”.

The email is send from the spoofed address “Adobe Update Notification <no-reply@adobe.com>” and has the following body:

Hello Dear,

Adobe is pleased to announce new version upgrades for Adobe Acrobat Reader
Advanced features include:

- Collaborate across borders
– Create rich, polished PDF files from any application that prints
– Ensure visual fidelity
– Encrypt and share PDF files more securely
– Use the standard for document archival and exchange

To upgrade and enhance your work productivity today please open attached file.

Copyright 2011 Adobe Systems Incorporated. All rights reserved.
TrackNum: YPK7XJ-5955527

Adobe Systems Incorporated,
Wed, 30 Nov 2011 16:45:33 +0100

The attached ZIP file has the name Adobe-Software-Update-VUREU328263.zip and contains the 203 kB large file AdobeSoftwareUpdate-20111130.exe. Note that the filenames can be different.

The trojan is known as Trojan.Generic.KDV.442070 (BitDefender), W32/Zbot.DD.gen!Eldorado (F-Prot), PWS-Zbot.gen.oe (McAfee), Troj/Kirje-B (Sophos)

At the time of writing, only 22 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 22728244953af82281b37265060384c4.

Email with Adobe license key attached contains a trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Your InDesign CS4 License key”.

The email is send from the spoofed address “Adobe <help-no.146@adobe.com>” and has the following body:

Hello,

Your Adobe CS4 License key is in attached document below.
We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.
Thank you for buying Adobe InDesign CS4 software.

Adobe Systems Incorporated

The attached ZIP file has the name License_key_N7853.zip and contains the 47 kB large file License_key.exe.

Please note that the from email address, the subject, content and name of the attached file can change accordingly.

The trojan is known as Troj/Bredo-LK (Sophos), W32/Yakes.F.gen!Eldorado (F-Prot), Downloader.Chepvil (Symantec).

At the time of writing, only 7 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 09ecaf9fd2f4d7d42b0b4fde0f53b21e.

Follow

Get every new post delivered to your Inbox.

Join 439 other followers