Complaint notification by email of Better Business Bureau contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Case #67983656” (number may vary) regarding a so called complaint at the Better Business Bureau.

The email is send from the spoofed address “Better Business Bureau <Ellen_Mullen@newyork.bbb.org>” and has the following body:

Owner/Manager

The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.

As a neutral third party, the Better Business Bureau can help to resolve the matter. Often complaints are a result of misunderstandings a company wants to know about and correct.

In the interest of time and good customer relations, please provide the BBB with written verification of your position in this matter by January 23, 2013. Your prompt response will allow BBB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.

The Better Business Bureau develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.

We encourage you to print this complaint (attached file), answer the questions and respond to us.

We look forward to your prompt attention to this matter.

Sincerely,

BBB Serving Metropolitan New York, Long Island and the Mid-Hudson Region

The attached ZIP file has the name *BBB Complaint Case.zip and contains the 113 kB large file BBB Complaint Case.exe.

The trojan is known as Trojan/Win32.Tepfer, UDS:DangerousObject.Multi.Generic, Malware.Packer.SGX1, Trojan.Agent/Gen-RogueRel.

Data can be obtained from following URLs:

  • hxxp://www.itopservices.it/Ntx.exe
  • hxxp://faulpelz.ch/nnARS1b.exe
  • hxxp://wabsolutely.com/Egyo6cV.exe
  • hxxp://canadianposcorp.com/Zje.exe
  • hxxp://schenkelbot.com/hwk40m.exe
  • hxxp://ftp.institutodedesarrollo.es/kvWcmHRw.exe

The data downloaded is about 364 kB large and will start up the following service

suoka.exe (process filename: %AppData%\umser\suoka.exe)

The Windows registry is modified. The malware can be classified as a keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.).

At the time of writing, 6 of the 46 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: a81ab264b6ae973d0b59e77271c36de6ec4549ccac63e38157fae51d76b32bbf.