Fake message “INTUIT Security Warning” regarding browser update will download trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email that is masked as a message from Intuit QuickBooks with the subjects like:

INTUIT Important Notification
INTUIT QB Security Warning
INTUIT Please Notify!
INTUIT Security Warning
INTUIT Supported Browsers
Intuit QuickBooks Online: Supported Browsers

This email is send from the spoofed addresses similar to “QuickBooks Online <security@intuit.com>”, “QuickBooks <security@quickbooks.intuit.com>” or “Intuit Security Center <qbsecuritycenter@intuit.com>” and has the following body:

QuIckBooks.
As of November 5th, 2015, we will be updating the browsers we support. We encourage you to upgrade to the latest version for the best online experience. Please proceed the following link, download and install the security update for all supported browsers to be on top with INTUIT online security!

InTuIT. | simplify the business of life

2015 Intuit Inc. All rights reserved. Intuit and QuickBooks are registered trademarks of Intuit Inc. Terms and conditions, features, support, pricing, and service options subject to change without notice.

Screenshot:

The text “proceed the following link” has an URL that leads to various hosts like:

hxxp://updates.intuitdataserver.com/sessionid-801b2bdfcd1f351ca339d00cb53=73a20
hxxp://browsers.intuitupdates-1.com/sessionid-e4ba3a3b99dd49150a2e81b20be=b8182
hxxp://updates.intuitinstruments.com/sessionid-84bc31dca00febc1260c6d02c2=21b691

Once this URL is followed – which is not recommended to do, the browser will open and update page for the browser or the plug in Adobe Flash, based on the browser you are using.

Firefox session:

URL Session: hxxp://www.mozilla.org.session-447b23b1cd40e6eef13dbde20e5f4754.updates.intuitinstruments.com/en-US/firefox/update/
Downloaded file: FirefoxUpdate.exe

Safari session:

URL session: hxxp://get.adobe.com.session-5a47c91951b0eff53883efceca4ffca8.updates.intuitdataserver.com/flashplayer/
Downloaded file: FlashPlayerUpdate.exe

The files FirefoxUpdate.exe and FlashPlayerUpdate.exe are identical and 639 kB large.

At the time of writing, 2 of the 55 AV engines did detect the trojan at Virus Total as Trojan.A19773F50 or HEUR/QVM03.0.Malware.Gen.

Use the Virus Total or Malwr for more detailed information.
SHA256: d6dfe0521d13b069864b93d77a5465706f1544fd78b5c6bd556fa37d7ca0a7b0

One thought on “Fake message “INTUIT Security Warning” regarding browser update will download trojan

Comments are closed.