Million dollar Tax draw spam leads to Banker Trojan (Feb 10, 2012)
SonicWALL UTM Research team found a new Banking Trojan variant being spammed heavily over the past three days. The spammed e-mail pretends to contain a Bank form asking the user to confirm an ACH transfer worth one million dollars. The zipped attachment in the email actually contains a malicious executable file that uses Right-To-Left override technique to present itself as a document file.
SonicWALL Research team have captured more than 2000 copies of e-mail from this spam campaign in past 48 hours. Below are some sample messages:
The malicious executable found in the zipped attachments looks like:
Upon execution, it performs the following activities:
- Drops a copy of itself and runs it:
- (Application Data)KB00903122.exe [Detected as GAV: Injector.NYF (Trojan)]
- Registry modifications:
- HKUUserIDSoftwareMicrosoftWindows Media Center [Uses this key to save banking site list and script to inject]
- HKUUserIDSoftwareMicrosoftWindowsCurrentVersionInternet SettingsGlobalUserOffline: 0x00000000
- HKUUserIDSoftwareMicrosoftWindowsCurrentVersionRunKB00903122.exe: “”(Application Data)KB00903122.exe””
- Connects to a remote server to send victim machine’s information and receives a list of banking sites & script to inject:
POST /rwx/B1_3n9/in/ HTTP/1.1 Host: hmvmgywkvayilcwh.ru:8080
SonicWALL Gateway AntiVirus provides proactive protection against this spam campaign via following signature:
- GAV: Injector.NYF (Trojan)
- GAV: Suspicious#rtol.dc (Trojan)