Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • About Us

    Spam may be seen by the public as a minor nuisance now,  but this couldn’t be further from the truth. We recently encountered spam that triggers an infection chain with ZBOT malware as the end result.

    The spammed message is supposed to have come from Allergan Limited, the UK arm of the global health care company Allergan, Inc. The message informs the recipient that the attachment contains information about the recipient’s medical information. This attachment is actually malicious and is detected as TROJ_ARTIEF.PI. This malware takes advantage the MSCOMCTL.OCX RCE vulnerability (CVE-2012-0158), which affects versions of Microsoft Office (specifically 2003, 2007, and 2010). This vulnerability was also targeted in other threats that we documented, including the spoofed APEC 2013 email and the EvilGrab malware found in the Asia-Pacific region.


    Figure 1. Fake email from Allergan Limited

    This malware drops and executes BKDR_LIFTOH.AD. This backdoor often downloads ZBOT. In this instance, the backdoor leads to the download of TSPY_ZBOT.VHP. ZBOT malware are known for stealing user login credentials, account information etc., in particular targeting online banking users.

    One interesting detail in this particular attack is the use of BKDR_LIFTOH malware. Variants often propagate via social networking sites and multi-protocol instant messaging (IM) programs. Propagation through spam is quite rare.

    This isn’t the only spam that employs the same attack. We spotted other spam with the same malware attachment, but with different content. Content from these emails suggests that these messages target British users.



    Figures 2 and 3. Other similar spammed messages

    Users should always take extra precaution when dealing with e-mail attachments; in general these should not be opened unless  Email from unknown senders should be ignored or immediately deleted. Trend Micro protects users from this threat by blocking the spam messages and detecting the malware cited in this entry.

    With additional insights from Eruel Ramos and Alvin Bacani





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice