Another round of spammed versions of TrojanPSW.Tepfer are arriving in users inboxes today. Like the previous versions, this round of emails have also been socially engineered to trick users into opening its malicious attachment. The email contains a forged “From:” field pretending to originate from ADP Payroll Services.
The email scam will also contain an Attachment. The attachment is a malicious executable file (disguised as a Payroll Report shipped via FedEx).
Here is an example email:
If the attachment is executed, the unknowing users machine gets infected with a Trojan identified by Thirtyseven4 Antivirus as “TrojanPSW.Tepfer.hbw“.
Upon analysis of the Trojan, we have observed that the file drops files at the following locations-
%AppData%\[randome_name folder]\[randome_name].exe {polymorphic file}
%AppData%\[randome_name].dll
After that, it attempts to visit various links to download further malicious files.
hxxp://zkoncepts.com/c8H.vxe
hxxp://evergreen-lending.com/heyJU.vxe
hxxp://ftp.aikenmovingboxes.com/Q0o.vxe
hxxp://afergusonjr.com/9wicxN.vxe
hxxp://nettecsystem.de/FkXZWaeS.vxe.
The dropped files by TrojanPSW.Tepfer are polymorphic in nature (meaning every time you visit the same link you will get a different file).
In addition to updating the Thirtyseven4 Antivirus virus scanner for these threats and future similar threats, the Thirtyseven4 Browser Protection module will be immediately updated to block any future websites should this Trojan start attempting to reach malicious websites.
| 
