MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Tyranny of the police”.
This email is making use of the incident in Ferguson, US, when a civilian was shot down by a police officer. After the release of the police officer, protests and riots broke out in Ferguson and some other US cities as well. Currently, this is or has been, depending where you live, major news and with this fake emails, send out in the name of Deans & Lyons, LLP, which is a law firm based in Texas, the persons behind this campaign are trying to get more attention to their email and lure victims into this.
This email is send from the spoofed address “Deans & Lyons <email@example.com>” and has the following body found below:
Our company make a survey research about horrible situation in Ferguson, state MS.
Please, follow the link above, vote and do not pass by!!!
Melinda Goens Paralegal
Deans & Lyons, LLP | deanslyons.com
Republic Center | 325 N. Saint Paul St., Suite 1500 | Dallas, TX 75201
Dallas | Houston
The embedded URL leads to hxxp://creative25.com/CNN_online/get_news.php t download the file BreakingNews_pdf63.zip. This ZIP archive contains the malware, a 23 kB large file BreakingNews_pdf.exe. After the download, the browser goes to an official webpage of CNN to a news article from August 2014 regarding this and other incidents in the past.
The trojan is known as UDS:DangerousObject.Multi.Generic, HEUR/QVM20.1.Malware.Gen or Upatre.FH.
At the time of writing, 3 of the 54 AV engines did detect the trojan at Virus Total.