Fake PO QN43568 order by email contains URL that downloads TTcopy.scr malware

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects “PO QN43568”.

This email is send from the spoofed address “Guangzhou Jintao Ceramic Co.,Ltd <janemarketings@xd.ae>” and has the following body:


Attached herewith is our companies order for 2013/14 kindly arrange pi for the same we await your early response

Guangzhou Jintao Ceramic Co.,Ltd,
Add: A Building, Jintao Industrial District, Rongshutang, Yongxing Village,
North Baiyun Road, Baiyun District, Guangzhou, China.
Tel: 0086-20-62153491
Fax: 0086-20-62153489
Jane Wang.

The embedded URL leads to the host hxxp://ellavista.com/htm/TTcopy.scr the 311 kB large file TTcopy.scr. The URL is embedded behind a screenshot of what appears to be an order scanned order form, under the likn “View slide show (1)” and under the link “Download all as zip”.

The trojan is known as TR/Dropper.MSIL.Gen, Gen:Variant.Barys.1003 (B), MSIL/Injector.PEI!tr, Worm.Win32.Ainslot or MSIL:Crypt-QF [Trj].

At the time of writing, 10 of the 48 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 7de26a99d9288c3bebdde125ea3cd56122090604dd43281d004a6feea6c036df.
Malwr permalink and SHA256: 7de26a99d9288c3bebdde125ea3cd56122090604dd43281d004a6feea6c036df