Oficla trojan in emails with subject “Scan from a Xerox WorkCentre Pro”


MX Lab intercepted some emails with the subject “Scan from a Xerox WorkCentre Pro N 6204257″ that contains the latest Oficla trojan variant. The emails are sent from a spoofed email address and contains a subject in one of the following formats:

Scan from a Xerox WorkCentre Pro N 6204257
Scan from a Xerox WorkCentre Pro #866521

The email targets business users. It is quite common that an office print and scan center like a Xerox machine will send a scanned document by email to a recipient.

The body of the email:

Please open the attached document. It was scanned and sent to you using a Xerox
WorkCentre Pro.

Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]

WorkCentre Pro Location: machine location not set
Device Name: XRX6150AA7ACDB45706461

For more information on Xerox products and solutions, please visit

http://www.xerox.com

The email contains a ZIP archive named XeroxN6204257.zip with the 32 kB large document Xerox_doc.exe inside. Note that the number of the ZIP archive matches the number in the subject line and will be different with each email.

The trojan is known as Gen:Variant.Oficla.4 (F-Secure, GData, NSecure) or W32/Oficla.AP (Authentium).

The following files will be created:

%Temp%\1.tmp
%System%\thxr.wgo
%Temp%\2.tmp
%System%\svrwsc.exe

The following directories are created:

%CommonAppData%\Microsoft\OFFICE
%CommonAppData%\Microsoft\OFFICE\TEMP

The Windows service SvrWsc - Windows Security Center Service with the filename %System%\svrwsc.exe will be stopped. Do not be fooled, the Windows Security Center Service is a malicious service and has nothing to do with the legitimate service Security Center from Windows .

Several Windows registry changes will be exectued and the trojan can establish connection with the following IPs on port 80:

80.74.132.218
91.212.127.40
91.216.215.66

Data can be obtained from following URLs:

  • hxxp://www.kollo.ch/images/cgi.exe
  • hxxp://musiceng.ru/music/forum/index1.php
  • hxxp://hulejsoops.ru/images/bb.php?v=200&id=465538349&b=avpsales&tm=1
  • hxxp://hulejsoops.ru/images/bb.php?v=200&id=465538349&tid=26&b=avpsales&r=1&tm=1

At the time of writing, only 6 of the 41 AV engines did detect the trojan at Virus Total. Virus Total permlink and MD5: 1d378a6bc94d5b5a702026d31c21e242.

Follow

Get every new post delivered to your Inbox.

Join 288 other followers