Another new trojan variant comes in multiple formats from the SMTP sender fraud@aexp.com


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign from the spoofed SMTP email address fraud@aexp.com.

Gateway Registration Notification

The first sample is send from the spoofed address “”gateway.confirmation@gateway.gov.uk” <gateway.confirmation@gateway.gov.uk>”, has the subject “Gateway Registration Notification” and has the following body:

Thank you for registering for the Government Gateway.

The Government Gateway is the UK’s centralised registration service for e-Government services.

To find out which Government Services are available on-line please see attached form.

You may enroll for the on-line Services at any time; however, some services need to be activated before you can use them. For these services you will receive a letter confirming your Activation code and instructions on how to activate the service, within seven days of enrolling.

To return to the HMRC_SMS through which you were registered please visit
http://www.hmrc.gov.uk.

This is an automatically generated email. Please do not reply as the
email address is not monitored for received mail.

The attached ZIP file has the name Government Gateway Reg Form.zip and contains the 23 kB large file Government Gateway Reg Form.exe.

At the time of writing, 9 of the 47 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: be875a8d5a19c57fce07df7df9c63274725e7bf2feb939004231616b62b47834

Important – attached form

The first sample is send from the spoofed address “Shane_Snell <Shane_Snell@rbs.co.uk>”, has the subject “Important – attached form” and has the following body:

Check attached form.

Douglas_Herron
Portfolio Manager
Commercial Banking Support
Thames Gateway Commercial Office
2nd Floor, Riverbridge House, Anchor Boulevard,
Crossways, Dartford, Kent  DA2 6SL
Depot Code 023

Tel:  01322 156982
Fax: 01322 057613
email: Douglas_Herron@rbs.co.uk
Supporting your business ambitions – www.natwest.com/ahead

This information is classified as Confidential unless otherwise stated.

The Royal Bank of Scotland plc, Registered in Scotland No. 90312. Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB

Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.

This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer. Internet e-mails are not necessarily secure. The Royal Bank of Scotland plc does not accept responsibility for changes made to this message after it was sent. The Royal Bank of Scotland plc may monitor e-mails for business and operational purposes. By replying to this message you give your consent to our monitoring of your email communications with us.

Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by The Royal Bank of Scotland plc in this regard and the recipient should carry out such virus and other checks as it considers appropriate.

The attached ZIP file has the name Form_jcme.zip and contains the 20 kB large file Form_10232013.exe.

At the time of writing, 6 of the 46 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 4bcae214720a82b3040ff76e75976f4521db559a7f25b63c5bf89988644677cd

2 thoughts on “Another new trojan variant comes in multiple formats from the SMTP sender fraud@aexp.com

  1. We blocked these and yesterday started getting huge quantities of e-mails, return path fraud@aexp.com from various senders (RR, Comcast, SBCglobal) subject “Im OK” or “Re: Im OK”, body “Im fine thanks , (woman’s name)”
    No links, no attachments.

Comments are closed.