Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    In the past weeks we have blogged about the scam related to faked bank certificates for Wachovia, Bradesco and Merrill Lynch. All those attacks attempted to play with fear regarding online security, in good combination with the international bank crisis.

    Yesterday we’ve noticed that this kind of spam arrived German mailboxes – and of course in German language.

    German phishing email

    According to Michael Tants, researcher at European Regional TrendLabs, the quality of the German language used is so bad that even somebody who understands a bit of German would think it could not be sent by a bank. The text is so poor that it can be considered a joke.

    Nevertheless, Trend Micro customers are prevented from downloading the file even before the specific pattern signature is updated on Trend Micro products. This is because both URL and file are already identified as potentially malicious.

    Fake certificate blocked as Possible_Virus

    Conducting this farce without any antivirus protection, we figured out that on execution the file DABDigicertx.509.exe downloads some components that after some system changes, finally install a hidden service new_drv.sys. The affected machine is transformed into a zombie.

    new_drv Registry data

    As expected this new driver (a hidden service) intercepts HTTP, HTTPS streams sending the login information to a third-party host. Our analysis concluded that the third party is located in China, although at the same time a different hidden process attempted to connect to somewhere in Oldenburg/Germany.

    Of course where the log files show that data might go to, does not automatically mean that they stay there. However, regardless where the criminals are geographically located, they still do the same things that they always do.

    And don’t forget: for this particular scam there is no way for German customers to get infected. Therefore, we consider this spam as some kind of beta test for the next “bank certificates”. Just stay vigilant!

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice