MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “New Voice Message from No Caller ID on 25/02/2015 at 16:25”.
This email is send from the spoofed address “”email@example.com” <firstname.lastname@example.org>” and has the following body:
You Have a New Voice Message
From: No Caller ID
Received: 18 December 2014 at 16:25
To: 020 3750 0638 * 302 (TAG The Automotive Group Ltd)
To listen to this message, open the attachment or use RingCentral Mobile App (download) to have instant access to all your messages on the go.
Thank you for using RingCentral.
A screenshot of the message:
The attached file NoCallerID-1218-162550-153.wav.zip contains the 70 kB large file NoCallerID-1218-162550-153h.wav.exe.
The trojan is known as UDS:DangerousObject.Multi.Generic.
At the time of writing, 1 of the 57 AV engines did detect the trojan at Virus Total.
Update 26/02/2015 – 11:15 (Belgian time):
Further analysis shows that his trojan will download other malware from the following locations:
The trojan is known as UDS:DangerousObject.Multi.Generic, Sinowal.PDB or PE:Malware.XPACK-LNR/Heur!1.5594.
It will show a popup window on the desktop
The processes edg2.exe and edg4.exe will be created, Windows registry modifications are executed and the trojan can establsih a connection with the following IP addresses on port 80:
At the time of writing, 3 of the 57 AV engines did detect the trojan at Virus Total.