Order enquiries by email with link to malicious .scr file that contains a trojan

MX Lab, http://www.mxlab.eu, started to intercept a few email samples regarding order enquiries that have an embedded URL to a malicious .scr file.

The email is send from the spoofed address, has a subject similar to “Order Inquiries” and has, in this case, the following body:

Dear Sir / Madam,

My name is Tc Koung and I am the purchasing officer for Aracom Business Group with head office based in the U.S.A.

We got your contact and recommendation from one of your old customers and we would like to place a large order for your products for our next trading year.

Please, find attached our order list, 3D pictures and drawings for your review.

Kindly quote your best prices for each product in the list. You are to quote FOB and payment terms as well.

Tc Koung
For: Aracom Business Group

Attached to the email is a scan of a document that looks like an official document. Further down, the email provides two URLs “View slideshow” and “Download all as a zip”. Those three items contains a link to hxxp://www.hclhotel.com/html/Transfer%20Slip.scr.

The downloaded Transfer Slip.scr is 564 kB large and contains a trojan Trojan/Win32.Zbot, Win32:Rootkit-gen [Rtk], W32/Backdoor.LNJT-9164, PWS-Zbot-FASF!6B751E04022C, W32/Zbot.FASF!tr, Trojan.Win32.Zbot.bvztxv or Troj/PWS-CDO.

The process votuiqo.exe is created on an infected system, several Windows registry changes will be exectued and data can be obtained from following URL: hxxp://www.asikaelue.com on port 80.

At the time of writing, 28 of the 46 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: b25342654bbaede659206235b054f71ebf9a3d44a3448ee3f649c78a3293a702.