Fake email from RingCentral regarding voice message contains attached trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “New Voice Message from No Caller ID on 25/02/2015 at 16:25”.

This email is send from the spoofed address “”notify-uk@ringcentral.com” <notify-uk@ringcentral.com>” and has the following body:

You Have a New Voice Message

From: No Caller ID
Received: 18 December 2014 at 16:25
Length: 00:03
To: 020 3750 0638 * 302 (TAG The Automotive Group Ltd)

To listen to this message, open the attachment or use RingCentral Mobile App (download) to have instant access to all your messages on the go.

Thank you for using RingCentral.

A screenshot of the message:

The attached file NoCallerID-1218-162550-153.wav.zip contains the 70 kB large file NoCallerID-1218-162550-153h.wav.exe.

The trojan is known as UDS:DangerousObject.Multi.Generic.

At the time of writing, 1 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: 843c890b197dc780ea7b3c85688b6b11f8594083d2de055dce21fd1427ec0379

Update 26/02/2015 – 11:15 (Belgian time):

Further analysis shows that his trojan will download other malware from the following locations:

hxxp://decapitated.cba.pl/java/bin.exe
hxxp://elsi.homepage.t-online.de/java/bin.exe

The trojan is known as UDS:DangerousObject.Multi.Generic, Sinowal.PDB or PE:Malware.XPACK-LNR/Heur!1.5594.

It will show a popup window on the desktop

The processes edg2.exe and edg4.exe will be created, Windows registry modifications are executed and the trojan can establsih a connection with the following IP addresses on port 80:

92.63.87.13
5.196.241.196
66.110.179.66
202.44.54.5

At the time of writing, 3 of the 57 AV engines did detect the trojan at Virus Total.

Use the Virus Total or Malwr for more detailed information.
SHA256: c56a46575f00e527844ea393c50aa58500dda94088c34489559b610200ba756b