MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email that is masked as a message from Intuit QuickBooks with the subjects like:
INTUIT Important Notification
INTUIT QB Security Warning
INTUIT Please Notify!
INTUIT Security Warning
INTUIT Supported Browsers
Intuit QuickBooks Online: Supported Browsers
This email is send from the spoofed addresses similar to “QuickBooks Online <email@example.com>”, “QuickBooks <firstname.lastname@example.org>” or “Intuit Security Center <email@example.com>” and has the following body:
As of November 5th, 2015, we will be updating the browsers we support. We encourage you to upgrade to the latest version for the best online experience. Please proceed the following link, download and install the security update for all supported browsers to be on top with INTUIT online security!
InTuIT. | simplify the business of life
2015 Intuit Inc. All rights reserved. Intuit and QuickBooks are registered trademarks of Intuit Inc. Terms and conditions, features, support, pricing, and service options subject to change without notice.
The text “proceed the following link” has an URL that leads to various hosts like:
Once this URL is followed – which is not recommended to do, the browser will open and update page for the browser or the plug in Adobe Flash, based on the browser you are using.
URL Session: hxxp://www.mozilla.org.session-447b23b1cd40e6eef13dbde20e5f4754.updates.intuitinstruments.com/en-US/firefox/update/
Downloaded file: FirefoxUpdate.exe
URL session: hxxp://get.adobe.com.session-5a47c91951b0eff53883efceca4ffca8.updates.intuitdataserver.com/flashplayer/
Downloaded file: FlashPlayerUpdate.exe
The files FirefoxUpdate.exe and FlashPlayerUpdate.exe are identical and 639 kB large.
At the time of writing, 2 of the 55 AV engines did detect the trojan at Virus Total as Trojan.A19773F50 or HEUR/QVM03.0.Malware.Gen.