MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Annual Form – Authorization to Use Privately Owned Vehicle on State Business”.
This email is send from a spoofed address (note: on the SMTP level the from address is email@example.com) and has the following body:
All employees need to have on file this form STD 261 (attached). The original is retained by supervisor and copy goes to Accounting. Accounting need this form to approve mileage reimbursement.
The form can be used for multiple years, however it needs to re-signed annually by employee and supervisor.
Please confirm all employees that may travel using their private car on state business (including training) has a current STD 261 on file. Not having a current copy of this form on file in Accounting may delay a travel reimbursement claim.
The attached ZIP file has the name Form_xxxxxxx.be.zip (xxxxxxx is replaced with the destination domain from the email address followed by the TLD) and contains the 25 kB large file Form_20130810.exe. the trojan is known as Gen:Variant.Graftor.117573 (B), UDS:DangerousObject.Multi.Generic, Trojan.Agent.ED, PWSZbot-FIK!6828091CBF4A or Cutwail.CAS.
The trojan is capable of downloading files from the internet and to create outbound traffic.
The following file is created: %Temp%\hhcbrnaff.exe and a new process is created hhcbrnaff.exe.
The trojan makes connection with the host warehousesale.com.my on port 443 (IMAP port) with the username warehousesale.com.my and password warehousesale.com.my.
At the time of writing, 7 of the 48 AV engines did detect the trojan at Virus Total.