W32/Kryptik.CKUF!tr found in fake order info emails


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects like “Order info: 5552133825” or “Order: 49003245482”.

This email is send from the spoofed addresses and has the following body:

Hi,

Your order #5552133825 will be shipped on 06.10.2014.
Date: October 01, 2014. 08:08pm
Price: £160.28
Transaction number: CA2AE333E068

Please find the detailed information on your purchase in the attached file sale2014-10-01_5552133825.rar

Yours sincerely,
Sales Department
Jennie Ragusano

 

Good morning,

Your order #49003245482 will be shipped on 02.10.2014.
Date: October 01, 2014. 07:52pm
Price: £187.29
Transaction number: 4D50896E86

Please find the detailed information on your purchase in the attached file item2014-10-01_49003245482.rar

Best regards,
Sales Department
Justine Nitzsche

The attached archive is in the .rar format with filenames similar to item2014-10-01_49003245482.rar or sale2014-10-01_5552133825.rar and respectively contains the 65 kB large file item2014-10-01_49003245482.exe or sale2014-10-01_5552133825.exe. Please note that numbers may vary.

The trojan is known as W32/Kryptik.CKUF!tr, a variant of Win32/Kryptik.CMMO or Trojan.Win32.Krap.2!O.

At the time of writing, 3 of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: 721d21d2fbab9ff6a0a836cb6b5d6752126f9252a8d0bae37dc95bc3a4083200

One thought on “W32/Kryptik.CKUF!tr found in fake order info emails

  1. I got one of these too.

    Greetings,

    Your order #2388261554 will be shipped on 15-12-2014.
    Date: December 08, 2014. 03:53pm
    Price: £171.58
    Transaction number: 161698A320

    Please find the detailed information on your purchase in the attached file order2014-12-08_2388261554.zip

    Kind regards,
    Sales Department
    Wendie Bumps
    +07716-151-172

Comments are closed.