Attackers are always looking for new ways to attain their goals. Spammed email with malicious file attachments are a frequently used tool. These attachments are usually compressed (frequently as .RAR or .ZIP files) and contain malicious payloads, like the notorious UPATRE malware family. Other common attachments include document files that drop malware.
However, since September we have been seeing spammed messages with a unique technique. Instead of the above file types, these use control panel (CPL) files as their attachment. (CPL files are normally used by applets in the Windows Control Panel.) These messages are often (supposedly) related to financial matters, to try and get users to open the email and attachment.
Figure 1. Spam sample
The email has an RTF file attachment that has an embedded malicious executable file. Trend Micro detects this .RTF file as TROJ_CHEPRO.RTF. Once the .RTF file is opened, it will display an image with instructions in Portuguese to double-click the image.
Figure 2. Malicious RTF file with embedded image
Once the user clicks the image, the RTF file will execute the embedded file. This embedded file is a malicious CPL file, which Trend Micro detects as TROJ_CHEPRO.CPL. This malware will connect to a URL and download several encrypted files. When decrypted, these files are detected by Trend Micro as TSPY_BANCOS.CVH. This is an information-stealing malware that collects certain system-related information.
It monitors user transactions done on the following websites:
- Serasa Experian
It logs collected information in a text file and sends the gathered information to a URL via HTTP POST. The overall behavior diagram is below:
Figure 3. CHEPRO infection chain
Feedback from the Trend Micro Smart Protection Network suggests that there are only few infections as of the moment. However, if cybercriminals see that this technique is effective, we could see more similar attacks in the future.
We encourage users to be careful when opening email messages and attachments. Never download and open attachments unless they can be verified. Businesses should employ a mail scanning solution implemented on the network and enable the scanning of email messages.
Trend Micro detects and blocks all malicious files, URLs, and emails related to this attack.
Additional insights by Mark Manahan