When my wife told me she had received an email with a purchase confirmation she hadn’t done, my first thought was:

How can she even remember what she bought? She buys thousands of clothes online, probably she doesn’t remember it, this wouldn’t be the first time 😉

After she told me 1,000 times she had not bought anything in that store, I decided to take a look at it, and it really looks like a legit message, so I asked her again. She looked at me in a way that only your better half can do, and at that moment I understood that my life was in risk if I dare to ask again.

I looked at it again and it turned out it was not a legit email. Usually cybercriminals use this kind of social engineering techniques but the messages are usually less elaborated than this one:

When you click in the URL to view the order, you go to a different place, as it is a html message and the real link cannot be seen in the text, so the user thinks he will see the actual order. Then you are asked to download the following file:

As you can see the file name is the same as the subject of the message and the fake order number, and it uses the Acrobat icon to fool users into open the file as they will think it is a PDF, as most users have their systems configured to hide known file extensions and they couldn’t see the .exe that you can see in the picture.

Once you have done it… bad news, this is a nasty Trojan with bot capabilities. It is designed to steal all kind of personal information: from Bank of America customers to players using the game platform Steam. And it will log everything you do in your computer, so the next time you go to Facebook, Gmail, etc. your passwords will be sent to the cybercriminals.

Doing some reversing I found out it also looks for some other Trojans, mainly bot competitors, to remove them in case they are in the system, such as Zeus, DarkComet, etc. As Sean Connery (Ramirez) said in the film Highlanders: “In the end there can be only one.”

Once installed in creates a registry entry to ensure it will be executed every time the computer is started. It uses the name “Windows Defender” for that registry entry, so if the user sees that he will think it is some kind of legit application. It also modifies some values in the registry to bypass the firewall (very important when you pretend to send out the stolen data).

Lessons learnt:

1.- Your wife is always right, and in case she tells you something you don’t have to ask about it anymore

2.- Remember everything you buy online to avoid being fooled.