Malware distribution: fake order confirmation from Euronics contains URL to malware


MX Lab, http://www.mxlab.eu, would like to warn for a trojan distribution campaign by email regarding a purchase in the online shop of the company Euronics for a certain amount.

Receivers of this email are being informed that the proof of purchase, payment details and point of contact details can be found in a text document.

The email does not originate from the company Euronics and the embedded URLs will download a trojan on your system.

Emails have similar subjects like:

Betaling is voldaan
Bedankt vor uw aanvraag
Uw bestelling wordt afgeleverd aan de verwerking
Uw bestelling wordt geaccepteerd

This email is send from the spoofed address “noreply@euronics.be” or “info@euronics.be”, is composed in Dutch and has the following body:

Hallo Geachte klant! Een aankoop met behulp van uw creditcard is gedaan in onze online shop totaal betaling is 2890€. Voor bewijzen om aankoop en verder betaling overbrengen vanuit uw account, contact onze sales afdeling. Ons telefoonnummer evenals andere contactpersonen informatie kan worden gevonden in een tekstdocument dat u gevonden in deze bericht. Vriendelijke groet dank u. Administratie!

Druk hier om te laden txt

The malware is hosted on different hosts. A 100 kB large file order568493.exe , numbers may vary, will be downloaded when you click on the text “Druk hier om te laden txt”.

The trojan is known as Trojan.Malware.Obscu.Gen.002, TrojanDwnldr.Dalexies.F4, a variant of Win32/Kryptik.EGGD, Gen:Variant.Kazy.774253 or QVM20.1.Malware.Gen.

At the time of writing, 5 of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 514c3610c88e5ac829b925c5d234d91a1defa6029441b91040276bf9a57050d6