FDIC email with attached trojan masked as PDF file


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects like:

Fw: Security update for banking accounts
FW: Banking security update

The email is send from the spoofed address and has the following body:

Dear clients,
Your Wire and  ACH transactions have been
temporarily suspended. Please open the attached
document(Adobe PDF) for more information.

Best regards,
Online security department
Federal Deposit Insurance Corporation

The attached ZIP file has the name FedDIC_0925_W61312.zip and contains the 47 kB large file FDIC_FORM_09252011_Coll.exe.pdf. Numbers in the filename can vary in each email.

!!! When MX Lab investigated the attached file it appears like FDIC_FORM_09252011_Collexe.pdf on the screen. The trick is done by inserting a “right to left override” (RLO) character in unicode just before the p of pdf. The real filename is in fact FDIC_FORM_09252011_Coll.exe.pdf.

The trojan is known as Artemis!CE5AEADAD3D5 (McAfee), W32/Yakes.B!tr (Fortinet), Trojan.Packed.666 (Dr Web), BC.Heuristic.Trojan.SusPacked.BF-6.A (ClamAV), Trojan-Downloader.Win32.Injecter.gty (Kaspersky).

The following files will be created:

%AppData%\KB441600.exe
%Temp%\D.tmp
%Temp%\POS3.tmp
%Temp%\POSC.tmp

The following directory is created:

%AppData%\FBDC89D4

Several Windows registry changes will be exectued and the trojan can establish connection with the following IPs 204.160.119.126, 210.125.243.177, 217.24.246.7, 66.208.205.74, 84.53.97.7 on port 80 and with the IP v on port 443.

Data can be obtained from following URLs:

  • hxxp://www.download.windowsupdate.com/msdownload/
    update/v3/static/trustedr/en/authrootstl.cab
  • hxxp://www.download.windowsupdate.com/msdownload/
    update/v3/static/trustedr/en/authrootseq.txt
  • hxxp://nugromilzek.ru/forum/index.php?cmd=getload
    &login=4117AF14E694E469C&sel=77777&
    ver=5.1&bits=0&file=2&run=ok
  • hxxp://nugromilzek.ru/forum/index.php?cmd=getload
    &login=4117AF14E694E469C&sel=77777&ver=5.1&bits=0&file=3
  • hxxp://nugromilzek.ru/forum/index.php?cmd=getload
    &login=4117AF14E694E469C&sel=77777
    &ver=5.1&bits=0&file=0&run=ok
  • hxxp://nugromilzek.ru/forum/index.php?cmd=getload
    &login=4117AF14E694E469C&sel=77777&ver=5.1&bits=0&file=1
  • hxxp://nugromilzek.ru/forum/index.php?cmd=getload
    &login=4117AF14E694E469C&sel=77777&ver=5.1&bits=0&file=2
  • hxxp://nugromilzek.ru/forum/index.php?cmd=getload
    &login=4117AF14E694E469C&sel=77777&ver=5.1&bits=0
  • hxxp://nugromilzek.ru/forum/index.php?cmd=getload
    &login=4117AF14E694E469C&sel=77777&ver=5.1&bits=0&file=0
  • hxxp://www.mijnhemubo.nl/files/light.exe

At the time of writing, only 11 of the 44 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: ce5aeadad3d5d0e693b5008be0a6c980.

Uncategorized