Over the last two weeks, we have seen an increase of fake e-mails pretending to contain invoices for various companies including UPS, Fedex and airlines from around the globe.  Subject of such e-mails include “Fedex tracking number 1234567890” or “E-ticket #1234567890”.  The body of the e-mail states that the recipient’s credit card has been charged for hundreds of dollars and that an invoice for their purchase is attached to the message.  The attached file has an Excel of Word icon but, in reality, it is an executable file.  We remind our readers not to make judgement on the nature of a file by its icon but by its extension.  It is trivial for a programmer to change the icon of their program, thus tricking users into thinking that a program is harmless.  We have also seen variants of this attack that had zip compressed e-mail attachments.

If the attached file is executed, it copies itself to the system32 folder under the name “ntos.exe”.  It then injects code into active processes including winlogin.  The injected code is responsible for communicating with a command and control server that will give orders as to what action should be taken next.  The command and control server uses the HTTP protocol and the commands are sent in an encoded file currently called rev.bin.  The command and control server is located in the United Kingdom at present time.  ESET Antivirus detects this threat as Win32/Spy.Agent.NES, other vendors call it Zbot.

At the time of analysis, Agent.NES was instructed to download an additional component from the Internet.  This additional component is a fake antivirus, another threat that is very popular these days.  The fake antivirus program will display warning messages like the following screenshot.  If the user clicks on the button to activate the product, he is asked to pay a certain amount of money.  This is where the malware author make their money.  

ESET Antivirus detect this family of fake security products as Win32/TrojanDownloader.FakeAlert.DR.  This whole operation proves, one more time, that fear sells.  The first stage of the attack involve fear that the victim might have been charged for something they didn’t want and the second uses the fear that a computer might be at risk.

Pierre-Marc Bureau
Researcher