The more things change, the more they remain the same. Cybercriminals are still using various news events as bait to get users to read their emails and install malware. Proof: we received email samples that used the Ramadan and an upcoming conference — all to lure users into downloading and executing the malicious attachments.
Ramadan-Themed Message Carry Malicious Files
With the recent observation of Eid ul-Fitr marking the end of the Muslim holy month of Ramadan, certain attackers crafted Ramadan-themed messages to take advantage of the event. We found two email variants that contain .XLS attachments verified to be malicious (detected by Trend Micro TROJ_MDROP.AIG).
The sender address contains the word “Uyghur”, which is likely a spoofed email address created by its perpetrators to make it appear that it came from the World Uyghur conference. The malware associated with this email is under analysis.
Spoofed World Uyghur Invitation Leads to Backdoor
Speaking of World Uyghur, we found an email message posing as an invitation to its upcoming conference in Germany. The said email contains an .XLS file attachment. Analysis reveals that the attachment is a Trojan dropper detected as TROJ_MDROP.TYT.
Since the message was crafted to interest specific users, the intended recipients are likely to open the attachment, in effect executing the said Trojan. Once installed, TROJ_MDROP.TYT drops BKDR_WOLYX.TYT, a backdoor that connects to a specific URL, possibly to communicate with a remote malicious user. It is also capable of taking screen captures, deleting and creating files, and terminating processes.
This is the second email we’ve received that used the World Uyghur Conference as a trick to deceive users into opening the email and attachments. The first sample we found last June also used the same conference and contains a malicious attachment that exploits a vulnerability in Adobe Flash Player (CVE-2012-0779).
Trend Micro users need not worry about this threat as they are protected via Smart Protection Network™, which blocks these email messages and removes the malware component.
As a precaution, users must verify legitimacy of messages before opening them and avoid opening the attached files. Cybercriminals often use social engineering to deceive users into opening a spam, downloading a malware, or visiting malicious websites. To know more about this crafty technique, you may read our Digital Life e-Guide How Social Engineering Works.