MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “BP Fuel Card E-bill 5307630 for Account B842155” (note that the ebill and account number will change).
The email is send from the spoofed address “Fuel Card Services <email@example.com>” and has the following body:
Please note that this message was sent from an unmonitored mailbox which is unable to accept replies. If you reply to this e-mail your request will not be actioned.
Please find your e-bill attached.
To manage you account online please click http://eservices.fuelcardservices.com
If you would like to order more fuel cards please click http://www.fuelcard-group.com/cardorder/bp-burnley.pdf
If you have any queries, please do not hesitate to contact us.
Fuel Card Services Ltd
T 01282 310701
F 0844 840 9839
Supplied according to our terms and conditions. (see http://www.fuelcardservices.com/ebill.pdf).
Please also note that if you cannot open this attachment and are using Outlook Express
to view your mail you should select Tools / Options / Security Tab and deselect the
option marked “Do not allow attachments to be opened that potentially may be a virus”.
All of our outgoing mail is fully virus scanned but we recommend this facility is
The attached ZIP file has the name FuelCard-ebill2920753.PDF.zip and contains the 32 kB large file FuelCard-ebill7640027.PDF.exe.
The trojan is known as TR/Gamarue.EL.1, Trojan.Generic.KD.886611, Win32/TrojanDownloader.Wauchos.I, Trojan:W32/Agent.DUJL, Trojan-Ransom.Win32.Blocker.auzk, Trojan.Ransom.ED, Troj/Agent-AAHY.
At the time of writing, 19 of the 46 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: 4670284ea406a60b2d53ac4dba2343cb5d6cb7986abe6ea9056ae3a5484a7793