Internauts Facing Heat of “Tyranny of the Police” Malware Email

Security firm MX Lab recently started to stop an email campaign of Trojan distribution with the subject line "Tyranny of the police."

This email is using the unfortunate incident of killing a civilian by a police officer at Ferguson, US. Protests and riots took place at Ferguson and also at some other cities of US after the release of the police officer. MX Lab observes that currently this is or has been major news depending where you reside and with this bogus email sent out on behalf of Dean & Lyons, LLP, a law enterprise situated in Texas, masterminds of this scandal are trying to gain more attention and entice victims to their email.

The embedded URL leads to hxxp://creative25.com/CNN_online/get_news.php and it downloads the file BreakingNews_pdf63.zip which encloses the malware, 23 kilobyte (KB) files BreakingNews_pdf.exe. After downloading the malware, the browser sets off to a certified web page of CNN (Cable News Network) and a news article of August 2014 about this and other past incidents.

The Trojan is known as UDS:DangerousObject.Multi.Generic, HEUR/QVM20.1.Malware.Gen or Upatre.FH.

An expert of MX Lab says that the threat funnels in a version which is also known as Dyre. It is a Trojan used to steal banking information which has been used against many financial institutions in European countries and particularly in Switzerland. It has also been observed that it targets customers of Salesforce cloud-based CRM (customer relationship management) provider and to steal credentials of Bitcoin trading websites.

The malicious file was analysed on 5th December, 2014 and it showed that only three out of 54 antivirus engines on VirusTotal could identify the threat. However, at the time of writing this article, detection rate has increased with 19 products mark the item as malicious.

The domain hosting the malicious file has been suspended and currently there is no risk of getting malware from that address. However, cybercriminals may register a new domain for the campaign and keep on sending the fraudulent emails.

Therefore, users are advised to verify the information first and abstain from accessing links in suspicious messages and to keep security software on their systems updated.

» SPAMfighter News - 12/16/2014