“Your FNBO Direct application has been received” fake email contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Your FNBO Direct application has been received” that contains two trojan variants.

This email is send from the spoofed address “service@fnbodirect.com” and has the following body:

Re: Applicant #2387586745

Hello,

Your application for an FNBO Direct account has been received. As an FNBO Direct customer, not only will you receive an exceptional interest rate,
you can be confident your accounts are held by a bank established in values of trust, integrity, and security.

Please find in the attached document information concerning your application.

Copyright (c) 2014 FNBO Direct, a division of First National Bank of Omaha. All Rights Reserved. Deposit Accounts are offered by First National Bank of Omaha,
Member FDIC. Deposits are insured to the maximum permitted by law.
P.O. Box 3707, Omaha, NE 68103-0707

For information on FNBO Direct’s privacy policy, please visit https://www.fnbodirect.com/comp/popups/privacy-policy.fhtml

Email ID: A1321.5

With this campaign, two different trojan variants have been detected that are being distributed by different emails but with the same content.

In the 1st email, the attached ZIP file has the name FNBO_Direct_application_2387586745.zip and contains the 36 kB large file FNBO_Direct_application_6736058675729333128.pdf.exe.

The trojan is known as Win32/Heur, Unwanted-File ( 6b49d2001 ) or BehavesLike.Win32.Detnat.nc.

At the time of writing, 3 of the 53 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: efb3852d0c9b491e1f8de9ff680d9b261ca327c4bba97c2f292c1d96df2616d6

In the 2nd email, the attached ZIP file has the name FNBO_Direct_application_5899418758.pdf.zip and contains the 520 kB large file FNBO_Direct_application_520330683936.pdf.exe.

The trojan is known as TR/Crypt.ZPACK.Gen, BehavesLike.Win32.Expiro.hm or HEUR/Malware.QVM20.Gen.

At the time of writing, 3 of the 53 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: 38e5c74ced25b72c8d6e90a6369a311cdd2aaac718e601def3d6d4dccc02d5d4

10 thoughts on ““Your FNBO Direct application has been received” fake email contains trojan

  1. I got this today via my personal e-mail server. The e-mail originated from IP address 217.165.243.140 [bba170320.alshamil.net.ae]. Blocked IP address and e-mail address as well.

  2. Mine came from and at:
    Received: from ltea-178-013-229-080.pools.arcor-ip.net ([178.13.229.80])
    for ; 11 Oct 2014 20:42:36 -0000

  3. 217.165.243.140
    178.13.229.80
    50.205.109.228
    79.108.33.207
    77.85.86.139
    217.34.46.26
    98.197.92.193
    188.253.104.2
    194.225.185.45
    77.85.219.88
    89.215.217.203
    85.219.20.245
    187.212.159.56
    109.100.2.156
    109.100.16.201

Comments are closed.