Earlier this week, Trend Micro EMEA has received reports of a Trojan malware being spammed. The e-mail containing the Trojan malware is apparently written in German, as below…
Bestellung # 67321 von EUR 391.00 ist angenommen.
Sony RX-F18 8.0 MP Digital Camera
Ihre Bestellung # 67321 von EUR 391.00 ist angenommen.
Ihre Karte wird mit dem faelligen Betrag belastet. Danke fuer Ihren Kauf.
Als Anlage finden Sie die Rechnung.
Which roughly translates to…
Subject:
Order # 67321 of EUR 391.00 was accepted
Body:
Sony Rx-F18 MP digital camera
Your order # 67321 of EUR 391.00 was accepted.
Your credit card will be charged with the pyable amount. Thank you for your puchase.
Attached you’ll find the bill.
The attachment filename is of the form rechnung_?????.exe where ????? is the order number found on the e-mail subject.
This particular incident seems to be a seeding attempt where the target users are, of course, those who read and understand German. The malicious attachment is a downloader Trojan detected by Trend Micro as TROJ_DLOADER.FWM, which downloads other Trojan malwares from the site idite-nahiy-abusery.com.
The downloaded malwares are variants of TROJ_BZUB and TROJ_AGENT, both Trojans serves as proxy servers that waits for commands posted on idite-nahiy-abusery.com.