Order confirmation by email contains download URL that leads to malware


MX Lab, http://www.mxlab.eu, reported yesterday regarding emails with an embedded URL that leads to malware in messages regarding a new price list.

Today, we are intercepting a new variant of this campaign but instead of a price list the content is regarding an order confirmation. The messages are sent in English or in the Dutch language. Each URL leads to the file /downloads/Document.zip.

Possible subjects are:

Re: adviser  id: 7356847
Request id: 71066294.
Bestel id 170-6513
Bestel N 841-5282

The email is send from the spoofed addresses and has the following body:

Gruss Gott, carmen.

Your order has been accepted.

Order id: 83435991.

Terms of delivery and the date can be found with the auto-generated msword file
located at:
hxxp://www.radixweb.eu/downloads/Document.zip?Hashcliente=carmen@robpeetoom.nl

==
Tel./Fax.: +31 (0)346 529 64 40

Gruss Gott, ****@****.nl.

Thank you for the order,
id: 862446.

Your credit card will be charged for 638 dollars.

Information about the order and delivery located at:

hxxp://www.shancommunity.org/downloads/Document.zip?Hashcliente=contact@robpeetoom.nl

____________________________
Best regards, ticket service.
Tel./Fax.: +31 (0)346 542 41 05

Uw bestelling is geaccepteerd.
Bestel id 170-6513.
Leveringsvoorwaarden en de datum kan worden gevonden met een zelf gegenereerde PDF-bestand
te vinden op: hxxp://www.dfrmontaggi.it/downloads/Document.zip?n=170-6513
Met de beste wensen.

Uw bestelling is geaccepteerd.
Bestel id 841-5282.
Leveringsvoorwaarden en de datum kan worden gevonden met een zelf gegenereerde PDF-bestand
te vinden op: hxxp://www.virgendeflores.es/downloads/Document.zip?n=841-5282
Met de beste wensen.

The trojan is known as W32/Yakes.B!tr (Fortinet), Generic FakeAlert.fz (McAfee), Worm:Win32/Gamarue.B (Microsoft), W32/Kryptik.ATI (Norman), Trojan/Win32.Yakes (AhnLab-V3) or as a variant of Win32/Kryptik.VYH (NOD32).

The following files will be created:

%AllUsersProfile%\Local Settings\Temp\d928fffd000226d7.exe

The following directories are created:

%AllUsersProfile%\Local Settings
%AllUsersProfile%\Local Settings\Temp

New processes are created on the system:

Several Windows registry changes will be exectued and the trojan can establish connection with the following IPs on port 80:

195.214.238.241
88.222.0.5

Data can be obtained from following URLs:

hxxp://heppishopdrm.ru/ice1/image.php
hxxp://www.sta.lt/smile023666.exe

At the time of writing, only 6 of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 602f9f68c5c1823fddd45226ed05c742.

[UPDATE]

The campaign already changed and is now sent with the following possible subjects:

Mistaken admission of money.
Refund. 392 euros.
Statement cash flow in your account.
Enrollment of money.

Some examples of the body:

Hello!
Your account has received two transaction by 392 euros.
Second transaction was accepted by mistake.

Please read this information carefully:
hxxp://www.miteaspa.it/downloads/Document.zip?i=994-43826

Hello!

Your account has received two transaction by 90 euros.
Second transaction was accepted by mistake.

Please read this information carefully:

hxxp://www.grafichelb.it/downloads/Document.zip?a=55365

We hope to collaborate in the future.

Greetings!

Your account has received two transaction by 342 euros.
Second transaction was accepted by mistake.
Please read this information carefully:
hxxp://www.thegrassisgreener.net/downloads/Document.zip?n=7660491

With best wishes.

Hello!
Your account has received two transaction by 59 euros.
Second transaction was accepted by mistake.

Please read this information carefully:
hxxp://www.kellylarsonsales.com/downloads/Document.zip?n=9790108

We hope to collaborate in the future.

One thought on “Order confirmation by email contains download URL that leads to malware

Comments are closed.