Part of malicious authors’ tactics in effectively spreading malware is using sophisticated social engineering pitches, which usually include a recent, and most often than not, tragic events like the Katrina hurricane or the Kyrill storm. As most attacks are now targeted, they also write their pitches in local language. Such is the case for this new malware that takes advantage of a recent tragedy in Brazil.
Yesterday, a Brazilian airliner (TAM) skidded off a runway at a Sao Paulo airport and crashed into a gas station and a TAM building, killing almost 200 passengers and employees. While the whole world mourns for the loss of lives, cyber criminals are not wasting any time in exploiting this tragedy to spread malware, steal information and gain profit from it. Trend Micro detects this malware as TROJ_BANLOAD.CGL.
According to initial analysis by TrendLabs Threat Analyst Jhoevine Capicio, this malware arrives via spammed email messages that contain news about the said Brazilian tragedy and a link to a video. When users click on the link, they are directed to the following Web site and asked to run an EXE file (TROJ_BANLOAD.CGL), which in turn downloads a spyware:
This site appears to have been hacked by the malware author to host the Trojan. The spyware, on the other hand, connects to an FTP site where it uploads stolen information, mostly email addresses.
This Trojan also downloads the spyware TSPY_BANKER.JHR from another Web site. This Banload variant is reminiscent of last month’s TROJ_BANLOAD.CZE, which also downloads another BANKER variant. Malware authors are still on the money trail.
Users are advised to be wary of opening email messages they receive containing details about this recent tragedy.