Emails with subject “I’m going to send you the photos in” contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “I’m going to send you the photos in”.

The email is send from the spoofed address “Facebook <noreply@netlogmail.com>” and has the following body:

Hallo Man,

Ich weiß nicht, wie ich es sagen, aber ich habe vor langer Zeit zu euch senden einige Fotos tryed, aber ich habe gedacht, dass Sie nicht interessiert sind, mich zu sehen.
Aber jetzt werde ich Ihnen die Fotos in der Anlage.
Laden Sie die Bilder und extrahieren sie, ich bin sicher, dass Sie sie mögen. Das Passwort ist: 123456

Machen Sie einen schönen Tag.

The attachedZIP file has the name DSC0172635.zip and contains the 244 kB large file DSC0172635.exe (numbers may change with each email).

The trojan is known as TR/Crypt.CFI.Gen (AntiVir), Worm.Win32.Ainslot!IK (Emsisoft), Artemis!784DBB4768DB (MacAfee), W32/Obfuscated.A!genr (Norman).

This trojan has the characteristics of ZBot – a banking trojan that disables firewall, steals financial data, makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the infected system.

The following files will be created:

%AppData%\lshss.exe
%System%\sdra64.exe

The following hidden files will be created:

%System%\lowsec\local.ds
%System%\lowsec\user.ds

The following hidden directory is created:

%System%\lowsec

Several Windows registry changes will be exectued and the trojan can establish connection with the following IPs on port 80:

78.159.111.221

Data can be obtained from following URLs:

    • hxxp://creeksidemtncabins.com/asda33as33asdad33asdad33asd
      ad33asdad33asdad33asdad333as333asdad33as.bin
    • hxxp://creeksidemtncabins.com/asda33as33asdad33asdad33asd
      ad33asdad33asdad33asdad333as333asdad33asdad33asdad3asd
      ad33asdad33asdaddad33asdad33asdad3a33asdad33asdad33asd
      adsda22d33asdad33asdad33asdad33asdad33asdad33asdad33as
      dad33asdad33asdad33asdadd33asdad33asdada33asdad33asdad
      dasd.php
    • hxxp://creeksidemtncabins.com/ip.php

When visiting the URL, something we do not recommend to do, we got a standard HTML error page with the message that the “This Account Has Been Suspended”. The IP 78.159.111.221 is registered to Leaseweb Germany GmbH.

At the time of writing, only 10 of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permlink and MD5: 784dbb4768dbe5ee5b0f3e8d0b0a4165.