MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Remittance Advice from Anglia Engineering Solutions Ltd [ID 4264G]”. This campaign has all the characteristics from the previous campaign email “Remittance Advice for 245.58 GBP” contains malicious XLS file.
This email is send from the spoofed addresses and has the following body:
We are making a payment to you.
Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.
If you have any questions regarding the remittance please contact us using the details below.
Anglia Engineering Solutions Ltd
Tel: 01469 135823
This XLS, when opened, gives us the warning that it will use macros and the XLS has three empty tabs with Russian or cyrilic characters (see screenshot).
The attached file is named ID_4264G.xls (numbersused inthe subject and file name number may vary) which will use macros to download a malicious binary that could infect your computer with a trojan.
The macro will download a binary from the following two places:
The trojan is known as Trojan.FakeMS.
This file is downloaded as test.exe and will be installed to %TEMP%\LNUDTUFLKOJ.exe, several Windows registry modifications will be made and will make connectiosn with the IPs:
MX Lab recommends not to open the attached XLS and to remove it from your mailbox. If you open XLS from foreign sources, please make sure that you disable macro and only run macro from trusted authors.