New trojan variant from fraud@aexp.com hidden in two different email formats


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects “Successful Receipt of Online Submission for Reference 3649531” and “New Case”.

In both emails, the SMTP address “fraud@aexp.com” is being used but the emails are send out in two different formats while the trojan is the same variant.

Successful Receipt of Online Submission for Reference 3649531

The spoofed email address  is “noreply@hmrc.gov.uk <noreply@hmrc.gov.uk>” and the body of the email:

Thank you for sending your VAT Return online. The submission for reference 3649531 was successfully received on Mon, 4 Nov 2013 01:44:27 -0600  and is being processed. Make VAT Returns is just one of the many online services we offer that can save you time and paperwork.

For the latest information on your VAT Return please open attached report.

The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless Worldwide in partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

The attached ZIP file has the name VAT_3649531.zip and contains the 25 kB large file VAT_11042013.exe.

New Case

The spoofed email address  is “Companies House <webfiling@companieshouse.gov.uk>” and the body of the email:

(CC01) Company Complaint for the above company was accepted on 11/04/2013.

The submission number is GG3O7O6WJ6L0V0G

Please quote this number in any communications with Companies House.
All WebFiled documents are available to view / download for 10 days after their original submission. However it is not possible to view copies of accounts that were downloaded as templates.

Not yet filing your accounts online? See how easy it is…

Note: reference to company may also include Limited Liability Partnership(s).

Thank you for using the Companies House WebFiling service.

Service Desk tel +44 (0)303 1234 500 or email enquiries@companieshouse.gov.uk

Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.

The attached ZIP file has the name Case_GG3O7O6WJ6L0V0G.zip and contains the 25 kB large file Case_11042013.exe.

Note that the numbers used in the filename of the trojan may vary.

The trojan is known as W32/Trojan.MOCW-3360, W32/Trojan3.GJQ, Trojan:W32/Agent.DUOO, UDS:DangerousObject.Multi.Generic or Troj/DwnLdr-LDL.

At the time of writing, 9 of the 45 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 5cbb4253e746fc92cab1ec2d560ddb6ea0fb7e3d3780905ae2651cee746d8df6.
Malwr permalink and SHA256: 5cbb4253e746fc92cab1ec2d560ddb6ea0fb7e3d3780905ae2651cee746d8df6.

One thought on “New trojan variant from fraud@aexp.com hidden in two different email formats

Comments are closed.