Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us

    Attackers are always looking for new ways to attain their goals. Spammed email with malicious file attachments are a frequently used tool. These attachments are usually compressed (frequently as .RAR or .ZIP files) and contain malicious payloads, like the notorious UPATRE malware family. Other common attachments include document files that drop malware.

    However, since September we have been seeing spammed messages with a unique technique. Instead of the above file types, these use control panel (CPL) files as their attachment. (CPL files are normally used by applets in the Windows Control Panel.) These messages are often (supposedly) related to financial matters, to try and get users to open the email and attachment.


    Figure 1. Spam sample

    The email has an RTF file attachment that has an embedded malicious executable file. Trend Micro detects this .RTF file as TROJ_CHEPRO.RTF. Once the .RTF file is opened, it will display an image with instructions in Portuguese to double-click the image.


    Figure 2. Malicious RTF file with embedded image

    Once the user clicks the image, the RTF file will execute the embedded file. This embedded file is a malicious CPL file, which Trend Micro detects as TROJ_CHEPRO.CPL. This malware will connect to a URL and download several encrypted files. When decrypted, these files are detected by Trend Micro as TSPY_BANCOS.CVH. This is an information-stealing malware that collects certain system-related information.

    It monitors user transactions done on the following websites:

    • Blogger
    • Facebook
    • Google
    • Grvnewlook
    • Hotmail
    • Locaweb
    • Orkut
    • PagSeguro
    • PayPal
    • Serasa Experian
    • Terra
    • Youtube

    It logs collected information in a text file and sends the gathered information to a URL via HTTP POST. The overall behavior diagram is below:


    Figure 3. CHEPRO infection chain

    Feedback from the Trend Micro Smart Protection Network suggests that there are only few infections as of the moment. However, if cybercriminals see that this technique is effective, we could see more similar attacks in the future.

    We encourage users to be careful when opening email messages and attachments. Never download and open attachments unless they can be verified. Businesses should employ a mail scanning solution implemented on the network and enable the scanning of email messages.

    Trend Micro detects and blocks all malicious files, URLs, and emails related to this attack.

    Additional insights by Mark Manahan





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice