Emails with embedded URL to handtekening.zip downloads malicious file


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with an embedded URL to download the file “handtekening.zip”.

The email is send from the spoofed addresses and comes in different flavors.

One example comes from the emailaddress “reding@taurus.apple.com”, has the subject “account geblokkeerd” and the body:

Gentile utente,

Uw account is gewijzigd
hxxp://alaein.com/overeenkomst/handtekening.zip?cGqsc3LKKjZ=******@******.nl

Tel./Fax.: (040) 660 47 77

A second sample comes from “Supportpay <dennis@wagstaffelaw.com>”, has the subject “For your company is registered tax debts.” and the body:

nvxcO,

LpcisyAX xaOG xQSSTv Gy,

NlnLOCH rjJjiJ rGh MvDc
hxxp://50.23.220.10/Aanvraag/handtekening.zip?vBY39OKtAYAChg2=******l@******.nl

slCCs
IaAUVEx atsDxAYO

A third sample comes from “Billing”, has the subject “handtekening” and the following body:

Geachte klant.

Het verzenden van de overeenkomst te ondertekenen de laatste pagina,
af te drukken en stuur het naar mij door te scannen.
hxxp://1800street.com/overeenkomst/betaling.zip?GOerwDe7EWNaf=******@******.nl

Veel dank.

And a fourth example comes from “billing <hpandres@ncat.edu>”, with the subject “For your company” and with the body:

EbfwAO,

CiyCFY BUXL krneYBh jO,

eSgK gYSjH mMom JJanu
hxxp://hemdip.com/betaling/handtekening.zip?TnY6vEO1pke11HVNy=******@******.nl

kktYWH
giVazx paEmmZndM

A fifth example comes from “m.jacobs@lipsonneilson.com”, with the subject “Documentatie voor het beheer” and the following body:

Zdravsvuyte.
Opbrengst verminderd.
Wij verzoeken u de documentatie downloaden en stuur het naar uw superieuren.
hxxp://hemdip.com/Aanvraag/handtekening.zip?4VcKWZ9KTetbDKL0Ao9DOBM9=******@******.nl

The URL makes you download file handtekening.Pdf__[manu_underscores]__.exe, and not an .zip file, and is approx. 455 kB.

The trojan is known as Trojan.Generic.KDV.603680 (BitDefender), W32/VBTrojan.9!Maximus (F-Prot), Trojan.Generic.KDV.603680 (GData), Trojan.Win32.Agent.hvvx (Kaspersky).

At the time of writing, 17 of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 41ec35c3291d38c827842b26fa280976fb4f71e86637ea527b1a52a4a10b831e.

[UPDATE: Apr 19, 2012 @ 20:37]

The campaign is evolving when new messages arrive. The embedded URL contains now “overeenkomst.zip” instead of “handtekening.zip”. The downloaded files is named overeenkomst.Pdf__[manu_underscores]__.exe

A new sample from “contacto@inxtenso.com”, with the subject “nieuwe tekeningen” and the body:

Gentile utente, ******@******.nl.

Hier zijn tekeningen van gebouwen
hxxp://hemdip.com/handtekening/overeenkomst.zip?2n5WLKAKSU=******@******.nl

An another example from “walterba@netfront.net”, with the subject “tekeningen” and the body:

Ciao

Hier zijn tekeningen van gebouwen
hxxp://yoyo3d.com/overeenkomst/overeenkomst.zip?0bY47xQAC=******0ys@******.nl

[UPDATE: Apr 19, 2012 @ 21:15]

The following files will be created:

%AppData%\Derify\arce.tyz
%AppData%\Yqru\nayh.exe
%AppData%\Ytcoor\odeck.buo
%Temp%\tmpbaedc28f.bat
%Temp%\tmpde4011bc\a4.exe

The following directories are created:

%AppData%\Derify
%AppData%\Yqru
%AppData%\Ytcoor
%Temp%\tmpde4011bc

New processes are created on the system:

cmd.exe – %System%\cmd.exe
a4.exe – %Temp%\tmpde4011bc\a4.exe

Several Windows registry changes will be exectued and the trojan can establish connection with the following IPs on port 80:

208.109.181.62
69.163.150.228
72.167.2.1
74.125.228.20

Data can be obtained from following URLs:

hxxp://www.kylemiller.biz/a4.exe
hxxp://bspsarea4a.co.uk/images/_vti_cnf/solpart.bin
hxxp://www.bspsarea4a.co.uk/images/_vti_cnf/solpart.bin
hxxp://rosellehealthplus.com/btn/image.php
hxxp://www.google.com/webhp

One thought on “Emails with embedded URL to handtekening.zip downloads malicious file

Comments are closed.