Malicious Attachments Distribute BREDOLAB Malware
In the recent past, researchers at Trend Micro have found that there has been a considerable increase in the number of spammed messages which deliver malicious attachments to the users.
These emails came in the form of annual Social Security statement, while other hooks used resumes, weddings, job offers and even a puzzle. A resume related spam email reads as follows: - I cleaned up resume formatting and will be reviewing the content at a point today. Save this as your recent version and I'll speak to you later.
Another email in the form of a wedding invitation says: - I and my family solicit your esteemed presence to grace and shower your blessings on this auspicious occasion of my wedding on 23rd September 2010 at my native Dhar.
A zip file was attached with the emails in both the cases.
The same series of spam messages is also used to spread bogus anti-virus and other scams, and its hard to find if there is any new command and control structure, much less a fresh round of spamming, has begun.
Two variants have been seen with infected attachment either being a FAKEAV variant such as TROJ_FAKEAV.FGZ, TROJ_FRAUDLO.LO, TROJ_FAKEAV.SGN or a downloader which is also taken to BREDOLAB and FAKEAV variants.
The security experts commented on the tactics used by the cyber crooks in these attacks by saying that the usage of infected attachments is a well known method used to distribute malware through email. However, many latest attacks have already been seen that use almost identical payloads.
At first instance, the researchers thought that it was the infamous Waledac botnet taken down in February 2010 again coming up. The researchers said that attacks designed to draft new recruits into the infamous Waledac Spambot network were back after the zombie network was effectively decapitated.
After the in-depth analysis of this threat, senior threat researchers at Trendlabs have re-categorized the malware used in this attack as a BREDOLAB variant (identified as TROJ_BREDOLAB.JA) instead of WALEDAC.
As per the news published by The Register on August 13, 2010, the security firm said that an unfortunate combination of machine and human errors led to the mislabeling threat as Waledac; apologies for the confusion.
Related article: Malicious Scripts with Zero-byte Padding can Pass Undetected
» SPAMfighter News - 23-08-2010