Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

BBB=>IRS=>FTC=>Proforma | don't open that invoice!

Published: 2007-06-15
Last Updated: 2007-06-15 20:56:54 UTC
by donald smith (Version: 3)
0 comment(s)

BBB->IRS->FTC->Proforma_Invoice.doc
Several of our ever-vigilant readers have warned us of a new targeted Trojan “document” that is being sent out specifically to executives in corporations.
Thanks Dan, Andy and Joe!
Subject of the emails were of the form:

Proforma Invoice for "Company Name" (Attn: "Executive Name")

The Body of the email included this text

"Hello,

The Proforma Invoice is attached to this message. You can find the file
in the attachments area of your email software.

PS: The invoice also includes the cost for the services provided for the
second quarter of 2007.
Please read, evaluate and reply with any comments. Thanks."


It is another word “document” with a malicious embedded object similar to the BBB, IRS, FTC and other targeted trojan “documents” we have seen lately.

The file sent is Proforma_Invoice.doc
Those AV vendors that recognized at virustotal were:

Authentium 4.93.8 06.15.2007 W32/Dropper.ESR
Fortinet 2.85.0.0 06.15.2007 W32/Nuclear!tr
Sophos 4.18.0 06.12.2007 Troj/BHO-BP
Symantec 10 06.15.2007 Downloader
Panda 9.0.0.4 06.15.2007 Suspicious file

The document itself contains a icon of a pair of books (blue and yellow) and a magnifying glass and the text
“DOUBLE CLICK THE ICON ABOVE
TO VIEW THE DOCUMENT DETAILS”
The icon represents a “Packaged Object”.

Clicking the icon in XPsp2 resulted in a windows popup box that stated:
“The publisher could not be verified. Are you sure you want to run this software?
Name: C_PROFOR~1.EXE
Publisher: Unknown Publisher
Type: Application

The three copies we have seen so far were all the same, all were 689,152 bytes long and all had a md5 hash of 47fff5b9d3765b70571454146ea9f244.

A word of caution: Do NOT open strange documents or run untrusted binaries on a machine you don’t wish to format and reinstall the OS on!
Most of us who do malware analysis have a machine that they can reinstall a fresh clean copy of the OS on if things go wrong and the ability to watch their network and see if anything is going wrong.

 

UPDATE

Several additional comments from readers on this malware:

"We have also seen this targeted executive malware infection.
I have observed multiple machines once infected attempting to connect over https to 216.7.80.5"

"Thank you for highlighting the evil malware going around today.
We have received two of them so far, addressed directly to
two Senior Execs at a prominent U.S. consumer electronics retailer."


"The executable is definitely a Trojan.
It creates an executable called microsoft.exe and adds it to the
normal HKLM\Software\Microsoft\Windows\Current Version\Run key
(and the user's profile \Run key) to ensure it gets started on system startup.

It looks like the executable is trying to contact three web domains:
hlplace.com, www.tanzatl.org, and aecv.ch."

hlplace.com -> 76.162.218.180
www.tanzatl.org -> 208.64.137.12
aecv.ch is not resolving from my location

Keywords:
0 comment(s)
Diary Archives