The story continues with fraud@aexp.com when a new trojan variant emerges in two different email formats


Everyday we can see a new virus/trojan  pass by that is sent from the SMTP sender fraud@aepx.com. Today it’s no different. MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Unable to process your most recent Payment” from HSBC UK and “FW: Case domain.tld” from the Companies House (the domain.tld is being replaced by the recipients domain name).

HSBC UK

This email comes with the subject “Unable to process your most recent Payment”, is send from the spoofed address “”HSBC.co.uk” <service@hsbc.co.uk>” and has the following body:

You have a new e-Message from HSBC.co.uk

This e-mail has been sent to you to inform you that we were unable to process your most recent payment.

Please check attached file for more detailed information on this transaction.

Pay To Account Number:   **********94
Due Date: 06/11/2013
Amount Due: £ 643.76

IMPORTANT: The actual delivery date may vary from the Delivery by date estimate. Please make sure that there are sufficient available funds in your account to cover your payment
beginning a few days before Delivery By date estimate and keep such funds available until the payment is deducted from your account.

If we fail to process a payment in accordance with your properly completed instructions, we will reimburse you any late-payment-related fees.
Copyright HSBC 2013. All rights reserved. No endorsement or approval of any third parties or their advice, opinions, information, products or services is expressed or implied by any information on this Site or by any hyperlinks to or from any third party websites or pages. Your use of this website is subject to the terms and conditions governing it. Please read these terms and conditions before using the website..

The attached ZIP file has the name HSBC_Payment_06112013.zip and contains the 28 kB large file Payment_06112013.exe.

Companies House

This email comes with the subject “FW: Case domain.tld” from the Companies House (the domain.tld is being replaced by the recipients domain name) is send from the spoofed address “”HSBC.co.uk” <service@hsbc.co.uk>” and has the following body:

This message has been generated in response to the company complaint submitted to Companies House WebFiling service.

(CC01) Company Complaint for the above company was accepted on 06/11/2013.

The submission number is 1193671

Please quote this number in any communications with Companies House.
All WebFiled documents are available to view / download for 10 days after their original submission. However it is not possible to view copies of accounts that were downloaded as templates.

Not yet filing your accounts online? See how easy it is…

Note: reference to company may also include Limited Liability Partnership(s).

Thank you for using the Companies House WebFiling service.

Service Desk tel +44 (0)303 6069 927 or email enquiries@companieshouse.gov.uk

Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.

The attached ZIP file has the name Case_1193671.zip and contains the 28 kB large file Case_06112013.exe.

The trojan is known as Worm/Win32.Palevo, TR/Crypt.Xpack.3685, W32/Trojan.UOSL-1532, Trojan.Downloader.JQEJ, Downloader-FVM!DCA1C11AA0C5, Artemis!DCA1C11AA0C5, Trj/Downloader.WKY or Troj/Zbot-GVA.

The trojan is capable of downloading files and connecting to other hosts over HTTP. It will collect information to fingerprint the system, make modifications to the local firewall settings and policies and installs itself to boot at start up of the infected system. Futhermore, this trojan can steal information from browsers.

At the time of writing, 22 of the 47 AV engines did detect the trojan at Virus Total.

Malwr permalink, Virus Total permalink and SHA256: f03b734ba8396868d416538ff4725b346096e11512518bf21c7b1cc095939796.

3 thoughts on “The story continues with fraud@aexp.com when a new trojan variant emerges in two different email formats

  1. I think the I think the Cutwail spambots just leave the Envelope From headers (MAIL FROM:) as something for a long time. The aexp.com series has been in effect for several months as far as I can tell. It shows up in the HELO’s sometimes too.

    Only the From: headers change based on who they are actually trying to spoof.

  2. I found another variant today, but haven’t looked at the attachments (just headers):

    From: (Incoming.Fax0@yourdomain.com)
    Scanned Image from a Xerox WorkCentre

    Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

    Sent by: (yourdomain.com)
    Number of Images: 1
    Attachment File Type: ZIP [PDF]

    WorkCentre Pro Location: Machine location not set Device Name: 4WTVY3OMTC

    Attached file is scanned image in PDF format.
    Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/

  3. I received one today, claiming to be from gateway.confirmation@gateway.gov.uk, in other words the Job centre. Wrong email address It went to the one used by the work programme provider. it’s message was as follows:
    The submission for reference 435/GB8223035 was successfully received and was not processed.

    Check attached copy for more information.

    This is an automatically generated email. Please do not reply as the email address is not monitored for received mail.

    one attachment : GB8223035.zip
    AS I threatened to take the WP provider to the fraud dept of DWP I figured it was a virus to put a stop to my doing so.
    Full headers show: 09:16:22 +0000
    Return-Path:
    X-YahooFilteredBulk: 90.83.98.33
    Received-SPF: softfail (transitioning domain of aexp.com does not designate 90.83.98.33 as permitted sender)

    As I suspected from the start I did not download attachement

Comments are closed.