Oficla spam on the rise (April 8, 2011)

SonicWALL UTM Research team has observed an increase in spam campaigns involving new variants of Oficla Trojan in the last two weeks. These spam campaigns included tracking notices and delivery failure notices from various Mailing services.

SonicWALL has received more than 700,000 e-mail copies from these spam campaigns till now. The email messages in all these spam campaigns have a zip archived attachment which contains the new variants of Oficla Trojan executable. The sample e-mail format from each spam campaign is shown below:

Campaign #1 – United Parcel Service (UPS) tracking number spam starting March 28, 2011

– Fake UPS tracking notices with slightly different subject and body.

Campaign #2 – Post Express notification spam starting March 28, 2011

– Fake deilvery failure message containing mailing label and invoice copy to pickup a package. Below is an example of one such e-mail:

Campaign #3 – DHL Express spam March 30, 2011

– Fake DHL tracking notices

Campaign #4 – Express Delivery notification spam starting April 6, 2011

– Fake Express Delivery tracking notices

The executable files inside the attachment masquerades the icon of popular formats like MS Word, PDF to trick the user:

If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

• Connects to a malicious site zalupkin.ru and downloads Fake AV. It saves the downloaded file at following location and executes it:
  • (Application Data)emm.exe – Detected as GAV: Kryptik.MLA (Trojan)
• Registry modification (shell spawning technique to run itself):
  • HKCRexefileshellopencommand @ “”%1″ %*” “”(Application Data)emm.exe” -a “%1″ %*”
  • HKLMSOFTWAREClientsStartMenuInternetFIREFOX.EXEshellopencommand: “C:PROGRA~1MOZILL~1FIREFOX.EXE”
  • HKLMSOFTWAREClientsStartMenuInternetFIREFOX.EXEshellopencommand: “”(Application Data)emm.exe” -a “C:PROGRA~1MOZILL~1FIREFOX.EXE””
  • HKLMSOFTWAREClientsStartMenuInternetFIREFOX.EXEshellsafemodecommand: “C:PROGRA~1MOZILL~1FIREFOX.EXE -safe-mode”
  • HKLMSOFTWAREClientsStartMenuInternetFIREFOX.EXEshellsafemodecommand: “”(Application Data)emm.exe” -a “C:PROGRA~1MOZILL~1FIREFOX.EXE -safe-mode””
  • HKLMSOFTWAREClientsStartMenuInternetIEXPLORE.EXEshellopencommand: “C:Program FilesInternet Exploreriexplore.exe”
  • HKLMSOFTWAREClientsStartMenuInternetIEXPLORE.EXEshellopencommand: “”(Application Data)emm.exe” -a “C:Program FilesInternet Exploreriexplore.exe””

  If the user attempts to open any of the Application executable,it will show a fake infection warning as seen below:

  

• Disables the windows auto update feature by deleting following registry entry:
  • HKLMSYSTEMCurrentControlSetServiceswuauserv
• Deletes the original copy of the malware executable.

More fake infection warnings forcing user to buy the rogue application:

SonicWALL Gateway AntiVirus provides protection against above spam campaigns by following signatures:

• GAV: Oficla.CE#email_2 (Trojan) [599,897 hits]
• GAV: Oficla.AC (Trojan) [105,518 hits]
• GAV: Oficla.AE_3 (Trojan) [60,962 hits]
• GAV: Oficla.MKD (Trojan) [27,559 hits]

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.