Win32/Kryptik.DHKQ trojan present in fake emails regarding invoice


MX Lab, http://www.mxlab.eu, started to intercept a new Win32/Kryptik.DHKQ trojan variant distribution campaign by email with the subjects like:

Rejected invoice cautio
Blocked invoice caution
Received invoice notification
Unaccepted invoice notification
Received invoice notification

This email is send from the spoofed addresses and has the following similar bodies:

Be adviced that your invoice include wrong values.
Look at the document and checkup data.

Laura Morgan
Commercial Customers Department

Be adviced that your invoice contains incorrect amounts.
Look at the invoice and make data.

Jessica Adams
Commercial Customers Department

Please be informed that your invoice contains false data.
Look at the invoice and checkup corrections.

Jessica Morgan
Commercial Customers Department

Be warned that your invoice has incorrect values.
Observe the document and check amounts.

Laura Jones
Chief accountant

The trojan is in a ZIP archive with a random generated file name like for example: LXnzEiwp.zip, 4NptJ30d.zip, 3BNeJRPz.zip,… and is changing all the time.

In the ZIP archive, the trojan is different each time to avoid detection by anti virus engines. Filenames we found are similar, a few examples: rejection_invoice_information.exe, rejection_invoice_report.exe, abrogation_invoice_statement.exe,…

The trojan is known as variant of Win32/Kryptik.DHKQ, W32/Kryptik.DHIG!tr, Downloader-FATU!344AF27A6E29, PE:Malware.Obscure!1.9C59 or Trojan.Win32.Qudamah.Gen.24.

At the time of writing, 6 of the 57 AV engines did detect the trojan at Virus Total.

A sample submitted to Virus Total with SHA256: cd6875a2c3b68dd6236bdf6ad10950b267631c59afc6ac42aa4897a8a2f97ecd

A sample submitted to Virus Total with SHA256: 6361c000cc4983391b2e1f0c361a8b29d79f389f6964be3bfff4739eeb5b387a

A sample submitted to Virus Total with SHA256: 2b8195d7373376220ff4a1da8ba15c71eafeb50ce60574608f279a745fb100af