MX Lab Detects Destructive E-mails asking Order Details
MX Lab the security company recently detected some e-mail variations related to enquiries made for certain order and containing a web-link which actually led onto one malevolent .scr file.
Using a spoofed address, the e-mail displays a caption somewhat like "Order Inquiries." Its sender, addressing the recipient as "Dear Sir/Madam," introduces himself as Tc Koung and tells that he's the purchasing official representing Aracom Business Group that's headquartered in USA. He then writes that an old customer of the recipient recommended the latter's name and gave his contact to Aracom and that the business group now wanted to make an order for his goods during the company's forthcoming trading year. After this, the e-mail requests the user to view a given attachment that comprised the order list, three-dimensional drawings/pictures to know the details. He also needs to quote his maximum selling rate of every good within the list, along with the FOB as well as payment terms, the e-mail indicates.
A scanned document in an attachment appears formal, while there are two web-addresses: "Download all as a zip" and "View slideshow" in the e-mail. These URLs take victims onto one Vientiane, Laos' capital city based hotel's site just as a web-link in the scanned document does.
The hotel's website, which the scammers hijacked, is loaded with the aforementioned malevolent .scr file, also the work of the scammers. If this file is run that MX Lab identified as Win32:Rootkit-gen else Trojan/Win32.Zbot, it crafts an executable process known as votuiqo.exe along with many registries.
On analysis, the researchers found that merely 28 AV engines of VirusTotal's total 46 anti-viruses managed to detect the Trojan's payload.
Meanwhile, it's been pretty some time that scam e-mails masquerading as Aracom were noticed online.
These particular fraudulent campaigns are capable of being extremely successful in targeting firms. Possibly, the scammers seek towards installing the Trojan that steals information onto organizations' PC-networks so they can invade their bank A/Cs.
Incase anyone gets the kind of e-mails, he should erase them. For someone already victimized, he should run an up-to-date AV, while examine his bank account for any deceptive transaction, the researchers advise.
» SPAMfighter News - 11-07-2013