Oficla spam on the rise

April 8, 2011

SonicWALL UTM Research team has observed an increase in spam campaigns involving new variants of Oficla Trojan in the last two weeks. These spam campaigns included tracking notices and delivery failure notices from various Mailing services.

SonicWALL has received more than 700,000 e-mail copies from these spam campaigns till now. The email messages in all these spam campaigns have a zip archived attachment which contains the new variants of Oficla Trojan executable. The sample e-mail format from each spam campaign is shown below:

Campaign #1 - United Parcel Service (UPS) tracking number spam starting March 28, 2011

- Fake UPS tracking notices with slightly different subject and body.

screenshot

Campaign #2 - Post Express notification spam starting March 28, 2011

- Fake deilvery failure message containing mailing label and invoice copy to pickup a package. Below is an example of one such e-mail:

screenshot

Campaign #3 - DHL Express spam March 30, 2011

- Fake DHL tracking notices

screenshot

Campaign #4 - Express Delivery notification spam starting April 6, 2011

- Fake Express Delivery tracking notices

screenshot

The executable files inside the attachment masquerades the icon of popular formats like MS Word, PDF to trick the user:

screenshot

If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

  • Connects to a malicious site zalupkin.ru and downloads Fake AV. It saves the downloaded file at following location and executes it:
    • (Application Data)emm.exe - Detected as GAV: Kryptik.MLA (Trojan)

  • Registry modification (shell spawning technique to run itself):
    • HKCRexefileshellopencommand @ ""%1" %*" ""(Application Data)emm.exe" -a "%1" %*"
    • HKLMSOFTWAREClientsStartMenuInternetFIREFOX.EXEshellopencommand: "C:PROGRA~1MOZILL~1FIREFOX.EXE"
    • HKLMSOFTWAREClientsStartMenuInternetFIREFOX.EXEshellopencommand: ""(Application Data)emm.exe" -a "C:PROGRA~1MOZILL~1FIREFOX.EXE""
    • HKLMSOFTWAREClientsStartMenuInternetFIREFOX.EXEshellsafemodecommand: "C:PROGRA~1MOZILL~1FIREFOX.EXE -safe-mode"
    • HKLMSOFTWAREClientsStartMenuInternetFIREFOX.EXEshellsafemodecommand: ""(Application Data)emm.exe" -a "C:PROGRA~1MOZILL~1FIREFOX.EXE -safe-mode""
    • HKLMSOFTWAREClientsStartMenuInternetIEXPLORE.EXEshellopencommand: "C:Program FilesInternet Exploreriexplore.exe"
    • HKLMSOFTWAREClientsStartMenuInternetIEXPLORE.EXEshellopencommand: ""(Application Data)emm.exe" -a "C:Program FilesInternet Exploreriexplore.exe""

    If the user attempts to open any of the Application executable,it will show a fake infection warning as seen below:

    screenshot

  • Disables the windows auto update feature by deleting following registry entry:
    • HKLMSYSTEMCurrentControlSetServiceswuauserv

  • Deletes the original copy of the malware executable.

More fake infection warnings forcing user to buy the rogue application:

screenshot

screenshot

screenshot

SonicWALL Gateway AntiVirus provides protection against above spam campaigns by following signatures:

  • GAV: Oficla.CE#email_2 (Trojan) [599,897 hits]
  • GAV: Oficla.AC (Trojan) [105,518 hits]
  • GAV: Oficla.AE_3 (Trojan) [60,962 hits]
  • GAV: Oficla.MKD (Trojan) [27,559 hits]