MX Lab intercepts new Bredolab trojan variants in several email formats ranging from a receipt of the Apple Store on Fifth Avenue to the NYCEDC Employment Application and even more.
Please note that the from address is spoofed in all cases, the subject, the body of the email and filename my change. We also do not list every new email format where this trojan is present in so it is possible that new email formats emerge as you read this.
Your receipt from Apple Store, Fifth Avenue
The first example contains the subject “Your receipt from Apple Store, Fifth Avenue”, is from a spoofed address and has the following very short email body:
Thank you for shopping at the Apple Store.
The email has the attachment emailreceipt_20100116R0951092283.zip.
NYCEDC Employment Application
This email has the subject “NYCEDC Employment Application” and has the following email body:
It was nice talking with you yesterday. Attached is the NYCEDC Employment Application. It’s an interactive PDF form so you should be able to type directly into it. If you could bring a completed copy with you to the interview, that would be great. Please let me know if you have any questions.
The email has the attachment file_13671.zip.
This email has the subject “Final_moments_of_Air_France” and has the following email body:
Please have a look at these photos from Air france crash.
The email has the attachment Final_moments_of_Air_France_-_Incredible_Photos.zip.
This email has the subject “0462” and the following body of the email:
I hope that this message finds you well. What do you think of the attached role?
The email has the attachment Code 9664 – for email.zip.
Your Quote from AA Getaway Coaches
This email has the subject “Your Quote from AA Getaway Coaches” and has the following body:
Thank you for choosing AA Getaway Coaches. Your Quote is attached. If you decide to travel with us, please sign and fax back to our offices the Reservation Request Form as soon as possible to reserve your vehicles.
Pay Online with PayPal. Fax your signed Reservation Request From back to our offices at 718.982.5274, we will reserve your vehicles and send you an email containing instructions to make your payment online using PayPal – safely and securely.
The attached documents are in PDF format and require a compatible PDF viewer such as Adobe Reader.
The email has the attachment reservationRequestForm0000043643.zip.
This email has the subject “Proposal” and the following body:
It was a pleasure to meet you last night, and thank you ! As per our conversation, please find attached a preliminary proposal, including various prix fixe menus and a credit card authorization form. Also attached is our current wine list, in case you would like to pre-select any wine for this event. Please let me know if you have any questions, as it would be my pleasure to assist you.
Thanks and best,
52 E 41st Street
New York, NY 10017
This email has the attachment CURRENT_WINE_LIST_04-02-10(c)_(2)1.zip.
This email has the subject “Resume” and the following body:
I cleaned up the formatting of the resume and will review the content at some point today. Save this as your latest version and I’ll talk to you later.
This email has the attachment Marcelino Estrada Resume.zip.
acceptance letter & benefit summary
This email has the subject “acceptance letter & benefit summary” and the following body:
As discussed, attached is a copy of your acceptance letter and a copy of the ASPCA benefit summary for review. We will have the original acceptance letter here for you in the morning. Please ask for me at the front reception desk at around 9:15 a.m.
We are so excited to have you joining the HR team and the ‘A’
See you tomorrow!
This email has the attachment Summary of Benefits – New York.zip.
Analysis of the treath:
The trojan is known as W32/Bredolab.GE (Authentium), Trojan.Bredolab-987 (Clam AV), W32/Bredolab.B!genr (Norman), Troj/Bredo-DV (Sophos).
The trojan will create the following files:
The following processes are created:
Process Name: 16887.exe
Process Filename: %AppData%\16887.exe
Process Name: _ex-08.exe
Process Filename: %Windir%\temp\_ex-08.exe
Several Windows registry modifications will be performed on the system and the trojan can establish a connection to the IPs 18.104.22.168 and 22.214.171.124 on port 80.
The trojan will download data from the remote web host at hxxp://126.96.36.199/cb_soft.php?q=7a76b969b50d772dfcffc81e3205c1d9
Virus Total permlink and MD5: e59e39cff3bc611d3bd50287c94deb66.