Hong Kong Monetary Authority “Invoice #3604196 – Remit file” contains trojan

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Invoice #3604196 – Remit file” on behalf of the Hong Kong Monetary Authority

This email is send from the spoofed address “Hong Kong Monetary Authority <invoice.3604196@hkma.gov.hk>” (note: on the SMTP server level the from address is fraud@aexp.com) and has the following body:

The following is issued on behalf of the Hong Kong Monetary Authority

Attached is the invoice (Invoice_3604196.zip) received from your bank.
Please print this label and fill in the requested information. Once you have filled out all the information on the form please send it to hkma_invoice@hkma.gov.hk .

For more details please see the attached file.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you ,

HONG KONG MONETARY AUTHORITY 55th Floor Two International Finance Centre 8 Finance Street Central Hong Kong
© 2013 Hong Kong Monetary Authority. All rights reserved.

This e-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose
or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the
sender immediately by return e-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions.

The attached ZIP file has the name Invoice_3604196.zip and contains the 23 kB large file Invoice_09102013.exe. Note that the number combination may vary.

At the time of writing, 2 of the 48 AV engines did detect the trojan at Virus Total as Trojan-Downloader. This trojan is just another variant of the previous one mentioned in the article Email with subject “ACH Notification” comes from fake email address ADP Payroll and contains trojan.

Virus Total permalink and SHA256: 38867740252a2be8532303e66d759cd409715aef2bc286cfbf1011f6aa273aed.

Malwr permalink and SHA256: 38867740252a2be8532303e66d759cd409715aef2bc286cfbf1011f6aa273aed.