Email “Remittance Docs” contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Remittance Docs 6612542” (note that the number varies with each email).

The email is send from the spoofed addresses like “Brittany_Kim <Brittany_Kim@chase.com>” and others and has the following body:

Please find attached the remittance 6612542. If you are unable to open the attached file, please reply to this email with a contact telephone number. The Finance Dept will be in touch in due course.
Brittany_Kim
Chase Private Banking Level III Officer
3 Times Square
New York, NY 10036
T. 212.004.5579
F. 212.667.3413

The attached ZIP file has the name Docs_****.com.zip (**** replaces the destination domain of the recipient) and contains the 120 kB large file Docs_08222013_218.exe.

The trojan is known as UDS:DangerousObject.Multi.Generic, Trojan.Agent.rfz, FakeSecTool-FAB!E9FBB397E66B, W32/Trojan.UYQI-8733 , or Heur.Packed.Unknown.

This trojan is capable to steal information such personal financial data (credit card numbers, online banking login details), user profiles, software registration keys, passwords and to download other files over the internet.

The following files will be created:

%Temp%\143031.bat

Several Windows registry changes will be exectued and the following host names are requested:

  • watch-fp.ca
  • watch-fp.com
  • watch-fp.info
  • watch-fp.mobi
  • jatw.pacificsocial.com
  • richardsonlookoutcottages.nb.ca
  • idyno.com.au
  • riplets.net

Following HTTP URLs are requested:

  • hxxp://www.jatw.pacificsocial.com/VSMpZX.exe
  • hxxp://richardsonlookoutcottages.nb.ca/Q5Vf.exe
  • hxxp://idyno.com.au/kvdhx2.exe
  • hxxp://riplets.net/Qa7nXVT.exe

Further analysis show that other malicious files are downloaded with the following characteristics.

The following files will be created:

%AppData%\Zuny\wilyab.exe
%AppData%\boleu.aca
%Temp%\XUMC16F.bat

Several Windows registry changes will be exectued and the trojan establish connections with the following sites on port 80:

google.com
swgawseyrgemairshvwvqcxxkeq.biz
tkonkjtwyqwtswcdxgzdqshuwkeiyt.com

At the time of writing, 7 of the 46 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: d4ef6d13b24a41dc7f10ef93b0c4580a1553d8512a7a97b3c32b25b0d49ab464.

4 thoughts on “Email “Remittance Docs” contains trojan

  1. I wasn’t paying attention and opened the pdf. it was running a program on task manager but i ended the process and deleted the files. It must have been less than a minute. Could it do anything serious in that amount of time?

    Thanks in advance.

Comments are closed.