MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “FW : DNB Complaint – 7000418” (number may change)
The email is send from the spoofed address “Dun & BradStreet <email@example.com>”, “Dun & BradStreet <firstname.lastname@example.org>” or “Dun & BradStreet <email@example.com>”and has the following body:
Dun & Bradstreet has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.
In the interest of time and good customer relations, please provide the DnB with written verification of your position in this matter by July 26, 2013. Your prompt response will allow DnB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.
The Dun & Bradstreet develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Dun and BradStreet. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.
We encourage you to print this complaint (attached file), answer the questions and respond to us.
We look forward to your prompt attention to this matter.
Email body screenshot:
The attached ZIP file has the name Case_7000418.zip and contains the 128 kB large file Case_07162013.exe (numbers in file naming may change).
The trojan is known as Trojan/Win32.Gen, UDS:DangerousObject.Multi.Generic, Malware.Packer.EPGen, Artemis!83F4A31A566A, Mal/Generic-S, W32/Kryptik.BDPK!tr and acts as a keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
The following file will be created:
Data can be obtained from following URLs:
New files are downloaded and new files are created:
The Windows registry is modified, a connection is made with http://www.google.com/index.html at the end of the infection process.
At the time of writing, 10 of the 47 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: 90fe606d73b265b9595aee12c9249df463f7f892045e46340b2db894bc0b740d.