Posts Tagged ‘Downloader’

View All Spam

Malicious spam campaign: Credit Card Overdue

By Rodel Mendrez  •  June 30th, 2011  •   Spam

We are currently seeing a large scale malicious spam campaign that claims to be a “Credit Card Overdue” notice. The campaign is originating from one of the Cutwail spambot variants. The theme has no specific credit card brand, possibly because the spammer thought a generic template may entice more victims. The spam message claims the credit card holder has an overdue credit card that needs to be settled in 2 days or else a $25 late fee and finance charge will be imposed.

The malicious application is attached in a zip file disguised as a credit card statement. Extracting the Zip file reveals a Trojan downloader executable file that uses a Adobe PDF icon. When the executable is run it downloads a fake anti-virus executable from the following url:

http://mysteryforyou1[dot]ru/pusk.exe


The fake AV pops up a fake warning.

Fake AV system utility

Spammers are constantly inventing new social engineering themes in an effort to distribute their malware. Targeting credit card holders, especially in this tough economy, is just another theme in their portfolio. The spammers can change their themes over time, and often just recycle old ones. There is enough in this message to cause most people to be suspicious, especially the fact that your credit card company is unlikely to be emailing you in the first place.  So, as usual, be wary.

Tags:    |    |    |    |    |    |  

View All Spam

Your Music Order – a loaded PDF

By Phil Hay  •  March 31st, 2011  •   Spam

We are noticing a spam campaign at the moment that purports to be a Music or Cell Phone “Order” with an attached PDF file with the following similar Subject lines:

  • Your Order No 129589 – Warner Music Inc.
  • Your Order No 489889 – Cell Phone Inc.

The attached PDF contains a bunch of obfuscated JavaScript, which attempts to exploit the Adobe getIcon vulnerability (CVE-2009-0927).  If successful, the following payload is downloaded:

hxxp://kawabungashop.ru/flash/1.php

The 1.php file is an executable downloader (VirusTotal Report).  Another piece of malware is then downloaded and installed (VirusTotal Report), which is a spambot that proceeds to spam further copies of the PDF file, as you can see from the template we captured:

These days, PDF files arriving in unexpected emails should be treated with extreme suspicion.  And please be sure to keep your PDF reader meticulously up to date to avoid getting exploited by old vulnerabilities such as this.

Tags:    |    |    |    |    |