Last April, we reported a KULUOZ spam campaign using the South Korean ferry sinking tragedy, one that came hot at the heels of the actual event itself.
KULUOZ, as we tackled during that blog entry, is a malware that is distributed by the Asprox botnet. It can download certain strains of FAKEAV and ZACCESS malware onto the affected system, as well as have the potential to turn that system into a part of the Asprox botnet itself (by installing certain components). This can result in the system not only being infected by malware, but also turn into a spam distributor. We discovered the existence of the spam campaign itself around the tail end of March.
Now it appears that the spam campaign is still going strong, with the cybercriminals behind the attack leveraging headlines from major news outlets. Some of these headlines include:
- ‘Misunderstood son’ returns
- ‘Vampire’ burial keeps myth alive
- ,000 to spare? Take a road trip
- Asia stocks mixed after ECB action
- Centenarians ‘are outliving disease’
- Company seeks more approval for clot blocker
- Dozens killed by Baghdad bombings
- Driving ex-soldiers back to work
- E3: Video games ready for action
- EU diplomatic dance around Juncker
- Father’s plea over baby feed death
- Football: Ribery ruled out for France
- GOP chairman: Chris Christie should remain at RGA
- Hollywood pays tribute to Jane Fonda
- Horse racing: Australia’s day in Derby
- Inside a political storm
- Knife attack at South China Station
- Links to UK political websites
- Living with bound feet
- Many missing as South Korea Ferry sinks
- Meteors streak through night sky
- Npower to change bill-chasing method
- Poland’s mini desert
- Police quiz kids over online abuse
- Political editors across England
- Q&A: Why is slurry so dangerous?
- Russian proton rocket fails
- S. Africa’s Zuma admitted to hospital
- Saved by an illegal, homemade radio
- Sen. Ted Cruz sidesteps question about 2016 plans
- Sheeran clinches number one spot
- Smashed Hits: Another Star
- SpaceX unveils new spacecraft to take astronauts to space station, back to Earth
- Spacey denies Bond baddie rumours
- Sudan woman clings to Christian faith despite death sentence, husband says
- Teenage star of cancer diagnosis
- Thai coup prompts warnings to tourists
- Turning highways into power plants?
- U.N.: Chemicals damaging health and environment
- U.S. ‘hypocrisy’ in cybertheft charge
- U.S. : Jihadi featured in suicide bombing video in Syria grew up in Florida
- UK ‘second best education in Europe’
- Ukraine President
- VIDEO: Climate change to cause flash floods
- VIDEO: House of Commons
- VIDEO: The 2014 World Cup in numbers
- Vodafone reveals direct wiretaps
- Watch lightning strike moving car
- What do young Harvard graduates believe?
How they leverage the headlines themselves is relatively simple, and typical of a spam attack: they copy the headline and part of the news article from the news website and implement it into the mail itself, in order to make itself look legitimate to the user as well as bypass spam filters. It seems that this malware also used CNN and BBC News as sources of news clip snippets, incorporated in their spam runs.
Figure 1. KULUOZ spam sample with “Knife attack at South China (Guangzhou) Station”
Analyzing the samples we found of these campaigns (specifically the one with news of the Thai coup), we found that the spam email itself retains the previous template of shipping notifications, including that of Fedex and United States Postal Service.
Figure 2. KULUOZ spam sample with “Thai Coup news item”
Similarly to previous spam runs, it notifies the reader that a parcel has been received in the local post office and that they need to print out a shipping label in order to receive said parcel.
The mail then presents a link where the user can indeed print out the shipping label, but as it turns out, the link is malicious and leads to a download of a malware that we detect as BKDR_KULUOZ.ED.
Figure 3. The file “USPS_Label_US_Irving.zip” is downloaded and detected as BKDR_KULUOZ.ED
While this may seem like a typical spam run that takes news headlines in order to bypass spam filters (as well as trick users into reading them), it’s to note that the malware being used can compromise the security of unsecured systems should it be allowed to take root.
The continued use of news headlines is also something to bear in mind, in that it is proof that as long as there is news to talk about, there will be threats that take advantage of them. No doubt we’ll be seeing this spam campaign continue as time goes on; readers can be sure that we’ll post updates in the Security Intelligence blog as necessary.
Trend Micro customers are protected from this threat and the malicious files involved.