Reminder: be careful opening invoices on the 21st March
On March 4th we spotted a large number of unusual emails being blocked by our Linux Mail Security product. The emails all contained the same PDF attachment (MD5: 97b720519aefa00da58026f03d818251) but were being sent from many different source addresses.
The emails were written in German and most were sent from German IP addresses. Below is a map showing the distribution of addresses:
The computer names referenced in the mail headers were often of the form Andreas-PC or Kerstin-Laptop (the names have been changed to protect the innocent) suggesting that they had been sent from German home computers.
Below is an example email:
The downloaded malware (MD5: 3772e3c2945e472247241ac27fbf5a16) is detected by Kaspersky Lab as Trojan.Win32.Yakes.cngh. It contains various Italian strings (“lastoriasiamo”, “famiglia”, “badalamenti”, impastato”) which may be Mafia related. It also contains the following version information:
Apparently, BTP are Italian government bonds, Bund are German government bonds and “Spread BTP/Bund” is a way of comparing the difference in yields.
When the malware runs it displays the following error message:
It then installs itself in the temp directory with a random name (e.g. vlsnekunrn.pre) and attempts to contact zeouk-gt.com.
Looking back through our past feedback data, we noticed similar patterns on the 4th and 21st of several months.
On the 21st February we blocked a large number of emails containing a very similar PDF attachment. This time the attachment names included the word “Rechnung” (meaning “invoice”) and a date (e.g. Rechnung_201302.pdf and 2013_02rechnung.pdf). The senders were from a wide variety of countries including South Africa, United States, Australia and Japan. This time the computer names referenced in the mail headers looked randomly generated (e.g. ydopsgf and bxahwdkw) and interestingly, the headers also referenced the domain zeus3.hostwaycloud.com.
On 4th January the sample was called Rechnung201301.pdf and the malware was downloaded from the following URLs:
On 21st November the sample was called RECHNUNG000201211.pdf and downloaded the malware from:
This seems to be a very well put together campaign and it doesn’t seem to be going away. So, if you receive an invoice on March 21st or April 4th, be extra cautious. Although, the authors may change their invoicing date, so it is better to be cautious all the time.