MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email that comes in multiple formats.
The trojan is known ad Trojan.Agent.ED or Trojan.Agent.ED and is detected by only 2 of the 48 engines at Virus Total.
In all cases, the trojan can produce outbound traffic and can download other files from the internet.
The system process hhcbrnaff.exe is created and several Windows registry modifications are perfomed.
The trojan can make connections with tristacey.com on port 443 (an HTTPS protocol port) and will connect as user “tristacey.com” with the password “tristacey.com”.
Virus Total permalink and SHA256: 298f7ccc398d150729ff9a6905f68b0fae93822bcd3b2f8293332a7d63733827.
IMPORTANT – NatWest Secure Message
This email has the subject “IMPORTANT – NatWest Secure Message”, is send from the spoofed address “NatWest.co.uk <firstname.lastname@example.org>” (note: on the SMTP level the from address is email@example.com) and has the following body:
You have received a secure message
Read your secure message by opening the attachment, SecureMessage.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 6101.
First time users – will need to register after opening the attachment.
About Email Encryption –
The attached ZIP file has the name SecureMessage.zip and contains the 23 kB large file SecureMessage.exe.
Important – attached form
This email has the subject “IMPORTANT – NatWest Secure Message”, is send from the spoofed address “Maxine_Egan <Maxine_Egan@rbs.co.uk>” (note: on the SMTP level the from address is firstname.lastname@example.org) and has the following body:
Check attached form.
Commercial Banking Support
Thames Gateway Commercial Office
2nd Floor, Riverbridge House, Anchor Boulevard,
Crossways, Dartford, Kent DA2 6SL
Depot Code 023
Tel: 01322 505073
Fax: 01322 859462
Supporting your business ambitions – http://www.natwest.com/ahead
This information is classified as Confidential unless otherwise stated.
The Royal Bank of Scotland plc, Registered in Scotland No. 90312. Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB
Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.
This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer. Internet e-mails are not necessarily secure. The Royal Bank of Scotland plc does not accept responsibility for changes made to this message after it was sent. The Royal Bank of Scotland plc may monitor e-mails for business and operational purposes. By replying to this message you give your consent to our monitoring of your email communications with us.
Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by The Royal Bank of Scotland plc in this regard and the recipient should carry out such virus and other checks as it considers appropriate.
The attached ZIP file has the name RBS_Docs_hp.digital8.zip and contains the 23 kB large file RBS_Docs_10072013.exe.
This email has the subject “IMPORTANT – NatWest Secure Message”, is send from the spoofed address “Companies House <email@example.com>” (note: on the SMTP level the from address is firstname.lastname@example.org) and has the following body:
This message has been generated in response to the company complaint submitted to Companies House WebFiling service.
(CC01) Company Complaint for the above company was accepted on 07/10/2013.
The submission number is Q7B8Z6WJNZAFF8G
Please quote this number in any communications with Companies House.
All WebFiled documents are available to view / download for 10 days after their original submission. However it is not possible to view copies of accounts that were downloaded as templates.
Not yet filing your accounts online? See how easy it is…
Note: reference to company may also include Limited Liability Partnership(s).
Thank you for using the Companies House WebFiling service.
Service Desk tel +44 (0)303 1234 500 or email email@example.com
Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.
The attached ZIP file has the name Case_Q7B8Z6WJNZAFF8G.zip and contains the 23 kB large file Case_07102013.exe.
Note that the number/letter combination in the subjects, body of the emails and naming of the attached files can change.