New Bredolab Campaign Spoofs Amazon

A new Bredolab distribution campaign produces fake emails masquerading as order-confirmation messages from Amazon. The attached archive contains a malicious executable file, which installs a new malware variant from the Bredolab family of trojans.

According to email security provider MX Lab, the malicious communications have subjects of the form "Your order has been paid! Parcel NR:58588-691" and arrive from a spoofed refrigeratorser22@rokulabs.com address. The messages are signed by an alleged Amazon employee named Vaughn Montes.

The spam emails employ social engineering in an effort to peak the curiosity of users and trick them into opening the attachment. "Dear Sirs, Thank you for shopping at Amazon.com! We have successfully received your payment. Your order has been shipped to your billing address. You have ordered ' Sony Bravia S1452 ' You can find your tracking number in attached to the e-mail document. Print the postal label to get your package. We hope you enjoy your order!," the bogus messages read.

The emails have a .zip archive called Amazon_label_N-322-552.zip attached, but the digits in the name can differ from message to message. This archive contains a file called Amazon_label_N-322-552.DOC.exe, which displays a misleading Word document icon.

The executable file is the installer for a new Bredolab variant, which was detected by only nine out of 41 antivirus products on VirusTotal at the time of writing this article. The trojan's payload involves dropping a file called 1.tmp in the Temp directory and a thxr.wgo one in C:\WINDOWS\system32\.

It is worth noting that, in this case, Bredolab is used as a malware-distribution platform. After infecting a computer, the trojan queries a command and control server on a .ru domain, from where it receives instructions to download and execute a file called bot.exe. This is a recent Zbot (ZeuS) variant, with a 75% AV detection rate, according to VirusTotal.