Tweet

The only thing worse than receiving a spammed greeting card is a one that comes with malware. TrendLabs ^SM senior advanced threats researcher Loucif Kharouni recently acquired a sample spam in the form of an online greeting card. The said card urges recipients to check out the greeting card by clicking the image. Users who are tricked into doing so end up downloading setup.exe, a malicious file detected by Trend Micro as BKDR_ANYTEMIR.A.

Upon execution, the backdoor program connects to a malicious site, which is currently no longer accessible. BKDR_ANYTEMIR.A also creates copies of itself in legitimate folders using file names related to the said folder. Each copy attempts to connect, though unsuccessful, to {BLOCKED}nytimergot.com to possibly receive commands from a remote user.

Spammed messages are already fixtures of the current threat landscape, a lot of which come in various disguises such as greeting cards related to holidays and special occasions, as reported in the following previous posts:

• Christmas Greetings from Spammers
• What Is Old Is New Again: Malicious New Year E-Card Spam
• Merry Malware Greetings Flooding Inboxes

Users are strongly advised to immediately delete and refrain from opening suspicious-looking email messages; to never click embedded links and images in dubious messages; and to open file attachments with caution.

Trend Micro™ Smart Protection Network™ protects users from this kind of attack by blocking spam before they reach inboxes via the email reputation service. Web reputation service, on the other hand, blocks user access to malicious sites where BKDR_ANYTEMIR.A may be downloaded. Finally, file reputation service prevents the download and execution of the backdoor.