MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “UPS Delivery Notification Tracking Number:E76TI8Q77G9OGH2YMB” (tracking number may vary with each message) that combines 2 techniques to infect an computer.
The 1st technique is by just including an .exe as attachment but the 2nd technique is started up by opening the attached HTML page. This page will allow the computer user to install a missing browser plug in.
The email is send from the spoofed address “UPS Quantum View <firstname.lastname@example.org>” and has the following body:
You have attached the invoice for your package delivery.
United Parcel Service
*** This is an automatically generated email, please do not reply ***
The attached .exe file has the name invoiceE76TI8Q77G9OGH2YMB.PDF.exe (letter/number combination may vary with each message).
The attached HTML file has the name invoiceE76TI8Q77G9OGH2YMB.html (letter/number combination may vary with each message).
Let’s start with the attched .exe file first. The trojan is known as Win32/TrojanDownloader.Onkods.G, Trojan-Spy.Zbot or TROJ_GEN.F0D1H0ZHM13.
At the time of writing, 5 of the 46 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: 3600343e88ed906ba83dd123c226b0ab0878d54c88983d3a7e4a0bbf9a1d957c.
The 2nd technique exists out of the HTML file that needs to be opened. When opening this HTML file you will get the following screen:
The integrated URL leads to the following screen were the message to install an necessary plug in is showed to the computer user. When doing so, the download of the file JavaJREInstaller.exe is executed.
After the fake download and installation, a new screen is shown where you can fill in the tracking number of the parcel.
But doing so will only generated the following on screen message.
The trojan JavaJREInstaller.exe is known as Trojan/Win32.Fareit, Trojan.PWS.Panda.2977, Win32/Spy.Zbot.AAO, W32/Kryptik.FA!tr, Trojan-Spy.Win32.Zbot.otpl, Artemis!00CE434CF737, Heur.Agent/Gen-WhiteBox, Suspicious.Cloud.5 or Trojan.Win32.ZAccess.bnc (v) and is known to download and request files over the internet.
The process vymeu.exe is created on an infected machine.
Several Windows registry changes will be executed and the trojan can establish connection with the host davs.microdnsz.com on port 80.
At the time of writing, 11 of the 46 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: 49608f98944623321de3a8a46fa1e6f90926b6b1a51c9edd173ff1eac669705c.