MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects similar like “Reservation Confirmation , Tue, 31 Jul 2012 18:19:42 +0900”.
The email is send from the spoofed address “Booking.com <email@example.com>” and has the following body:
Date: Tue, 31 Jul 2012 18:19:42 +0900 —
Herewith you receive the electronic reservation for your hotel. Please refer to attached file for full details.
Arrival: Saturday, August 04, 2012
Departure: Monday, August 06, 2012
Number of rooms: 1
Customer Service Team
Your Reference ID is: 8751747
The Booking.com reservation service is free of charge. We do not charge you any booking fees or administration fees, and in many cases rooms offer free cancellation.
-Booking.com guarantees the best hotel rates in both cities and regional destinations – ranging from small family hotels to luxury hotels.
The attached ZIP file has the name Booking_Confirmation_073120123972991.zip and contains the 37 kB large file Booking_Confirmation_07312012.exe.
The trojan is known as W32/Falab.J2.gen!Eldorado, Trojan-Spy.Agent, Downloader.Dromedan or TROJ_KRYPTIK.NC.
At the time of writing, only 9 of the 41 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: 78cca5db33888091d98854835d6ca80b77568d5f106a9d7739e7a3efa02df659.