Spam may be seen by the public as a minor nuisance now, but this couldn’t be further from the truth. We recently encountered spam that triggers an infection chain with ZBOT malware as the end result.
The spammed message is supposed to have come from Allergan Limited, the UK arm of the global health care company Allergan, Inc. The message informs the recipient that the attachment contains information about the recipient’s medical information. This attachment is actually malicious and is detected as TROJ_ARTIEF.PI. This malware takes advantage the MSCOMCTL.OCX RCE vulnerability (CVE-2012-0158), which affects versions of Microsoft Office (specifically 2003, 2007, and 2010). This vulnerability was also targeted in other threats that we documented, including the spoofed APEC 2013 email and the EvilGrab malware found in the Asia-Pacific region.
Figure 1. Fake email from Allergan Limited
This malware drops and executes BKDR_LIFTOH.AD. This backdoor often downloads ZBOT. In this instance, the backdoor leads to the download of TSPY_ZBOT.VHP. ZBOT malware are known for stealing user login credentials, account information etc., in particular targeting online banking users.
One interesting detail in this particular attack is the use of BKDR_LIFTOH malware. Variants often propagate via social networking sites and multi-protocol instant messaging (IM) programs. Propagation through spam is quite rare.
This isn’t the only spam that employs the same attack. We spotted other spam with the same malware attachment, but with different content. Content from these emails suggests that these messages target British users.
Figures 2 and 3. Other similar spammed messages
Users should always take extra precaution when dealing with e-mail attachments; in general these should not be opened unless Email from unknown senders should be ignored or immediately deleted. Trend Micro protects users from this threat by blocking the spam messages and detecting the malware cited in this entry.
With additional insights from Eruel Ramos and Alvin Bacani