MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects “Successful Receipt of Online Submission for Reference 3649531” and “New Case”.
In both emails, the SMTP address “firstname.lastname@example.org” is being used but the emails are send out in two different formats while the trojan is the same variant.
Successful Receipt of Online Submission for Reference 3649531
The spoofed email address is “email@example.com <firstname.lastname@example.org>” and the body of the email:
Thank you for sending your VAT Return online. The submission for reference 3649531 was successfully received on Mon, 4 Nov 2013 01:44:27 -0600 and is being processed. Make VAT Returns is just one of the many online services we offer that can save you time and paperwork.
For the latest information on your VAT Return please open attached report.
The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless Worldwide in partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.
The attached ZIP file has the name VAT_3649531.zip and contains the 25 kB large file VAT_11042013.exe.
The spoofed email address is “Companies House <email@example.com>” and the body of the email:
(CC01) Company Complaint for the above company was accepted on 11/04/2013.
The submission number is GG3O7O6WJ6L0V0G
Please quote this number in any communications with Companies House.
All WebFiled documents are available to view / download for 10 days after their original submission. However it is not possible to view copies of accounts that were downloaded as templates.
Not yet filing your accounts online? See how easy it is…
Note: reference to company may also include Limited Liability Partnership(s).
Thank you for using the Companies House WebFiling service.
Service Desk tel +44 (0)303 1234 500 or email firstname.lastname@example.org
Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.
The attached ZIP file has the name Case_GG3O7O6WJ6L0V0G.zip and contains the 25 kB large file Case_11042013.exe.
Note that the numbers used in the filename of the trojan may vary.
The trojan is known as W32/Trojan.MOCW-3360, W32/Trojan3.GJQ, Trojan:W32/Agent.DUOO, UDS:DangerousObject.Multi.Generic or Troj/DwnLdr-LDL.
At the time of writing, 9 of the 45 AV engines did detect the trojan at Virus Total.