In the past weeks we have blogged about the scam related to faked bank certificates for Wachovia, Bradesco and Merrill Lynch. All those attacks attempted to play with fear regarding online security, in good combination with the international bank crisis.
Yesterday we’ve noticed that this kind of spam arrived German mailboxes – and of course in German language.
According to Michael Tants, researcher at European Regional TrendLabs, the quality of the German language used is so bad that even somebody who understands a bit of German would think it could not be sent by a bank. The text is so poor that it can be considered a joke.
Nevertheless, Trend Micro customers are prevented from downloading the file even before the specific pattern signature is updated on Trend Micro products. This is because both URL and file are already identified as potentially malicious.
Conducting this farce without any antivirus protection, we figured out that on execution the file DABDigicertx.509.exe downloads some components that after some system changes, finally install a hidden service new_drv.sys. The affected machine is transformed into a zombie.
As expected this new driver (a hidden service) intercepts HTTP, HTTPS streams sending the login information to a third-party host. Our analysis concluded that the third party is located in China, although at the same time a different hidden process attempted to connect to somewhere in Oldenburg/Germany.
Of course where the log files show that data might go to, does not automatically mean that they stay there. However, regardless where the criminals are geographically located, they still do the same things that they always do.
And don’t forget: for this particular scam there is no way for German customers to get infected. Therefore, we consider this spam as some kind of beta test for the next “bank certificates”. Just stay vigilant!