Sign Up for FREE Daily Energy News
Copper Tip Energy Services
Hazloc Heaters
WEC - Western Engineered Containment
Copper Tip Energy
Hazloc Heaters
WEC - Western Engineered Containment

Active Spam Campaign is Spreading a Banking Trojan Known as “Feodo” – Here’s What to Look For – Startech Business Systems

The SonicWall Capture Labs Threat Research team has been observing an active spam campaign spreading a banking Trojan widely known as Feodo. This spam uses a very common tactic of sending a fake invoice or bank statement as an attachment with a link that leads to downloading malware.

Infection cycle:

The spam email purports to be from a bank or vendor or business supplier typically with a PDF or DOC attachment as show below.

Opening the PDF file, for instance, will then have a link to download your invoice or statement.


Clicking on the link will then download a document file which has embedded Visual Basic macros.

These macros will launch complex procedures when the document is opened. Macro security setting in the Trust Center is disabled by default and a security warning will appear once macro is detected within a document file. To circumvent this, the body of the document file actually instructs the victim to enable editing and enable content to view the document.


Once the Visual Basic script executes, cmd.exe is spawned which then executes powershell that will then download the banking Trojan.


Below is an example of what commands were executed by cmd and powershell to perform this malicious task:



It then executes the downloaded Feodo Trojan. The trojan copied itself as “pagesrouted.exe” and registered itself in the registry to ensure persistence.

  • HKLM/Software/Microsoft/Windows/CurrentVersion/Run  pagesrouted   “%APPDATA%/Local/Wndows/pagesrouted.exe”

During our analysis, the Trojan just runs quietly in the background. Once we opened a browser instance and logged onto an online banking website, it then contacted a known Feodo C&C server and sent encrypted data.


During the past week, we have observed this threat spread throughout the United States, Germany, India and Brazil.


SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Feodo.S (Trojan)
  • GAV: Feodo.S _2 (Trojan)

Contact Startech today for information about our Social Engineering, Penetration tests and other IT assessments and services today!

Share This:

More News Articles

New SHOWCASE Directory Companies


GLJ Petroleum Consultants Ltd.
Hy-Lok Distribution Inc
Catch Engineering
Pacbrake Company
Clear Glycol Inc.
Fusion Production Systems Inc