Trojan Gen:Variant.Graftor.155439 present in fake emails regarding payments


MX Lab, http://www.mxlab.eu, intercepted different campaigns were the trojan Gen:Variant.Graftor.155439 is present in the attached ZIP archive. The trojan is known as Gen:Variant.Graftor.155439 by most AV engines but it’s also known as Trojan/Win32.Zbot, HW32.Paked.1F59, Generic-FAUS!BA7599C952BE or PE:Malware.XPACK-HIE/Heur!1.9C48.

The first email comes with the subject “Re: today payment done” is send from the spoofed addresses and has the following body:

Dear sir,

Today we have able to remit the total amount of US$ 51,704.97 to your account. Details of our payments are as follows:

Cont. #41 SPV001/APR/13 US$34,299.13 – 11,748.82 (50% disc. For R008 & R016) =
Cont. #42 EXSQI013/MAY/13 US$29,154.66
——————–
Total Remittance: US$ 51,704.97

Attached is the TT copy, check with your bank and let us know when you will proceed with shipment.

Thank you very much.

Best regards,
Me

The attached ZIP file has the name swift copy.zip and contains the swift copy.scr file.

At the time of writing, 11 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: db9eb842deb7cbda56c3df7c1e198fac5f0d65d0d8ef9df2f13618d18416c686

The second email comes with the subject “Re: Balance payment ” is send from the spoofed addresses and has the following body:

The attached TT copy is issued at the request of our customer. The advice is for your reference only.

Yours faithfully,
Global Payments and Cash Management
Bank of America (BOA)

***************************************************************************

This is an auto-generated email, please DO NOT REPLY. Any replies to this
email will be disregarded.

***************************************************************************

This e-mail is confidential. It may also be legally privileged.
If you are not the addressee you may not copy, forward, disclose
or use any part of it. If you have received this message in error,
please delete it and all copies from your system and notify the
sender immediately by return e-mail.

Internet communications cannot be guaranteed to be timely,
secure, error or virus-free. The sender does not accept liability
for any errors or omissions.
***************************************************************************

The attached ZIP file has the name original copy.zip and contains the original copy.scr file.

At the time of writing, 12 of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: f7f1b10365b995c308d1cc4a3f025e5e7f249fbfee82f7bcd8297e1c5fcc1635