Malicious spammers are really striking while the iron is hot, so to speak.
Less than a day after spammed messages containing links claiming to point to news related to the recent Russian-Georgian conflict, another spam run bringing malware was found by the Trend Micro Content Security Team.
Below is an example of the latest spam:
Figure 1. Spam sample about journalists being shot in Georgia in relation to the recent Russian-Georgian conflict.
The attached file Georgia.zip is a password-protected .ZIP file. Setting a password to enable access to the file prevents the spam filter function of email applications from scanning the attachment for malicious content. In this case, detection was made for the .ZIP file itself to protect the users even before they access the file’s content. The .ZIP file is detected by Trend Micro as WORM_DLOAD.RAR.
When accessed through the password also contained in the email message (see bottom of spam where it says attach password: 123, the .ZIP file is seen to contain an executable named Joined.exe. This file on the other hand is detected as TROJ_DLOADER.UAF:
Figure 2. When the attachment is opened, the archive reveals that the “photo” promised in the text is actually an executable.
Upon execution, TROJ_DLOADER.UAF connects to another host, and downloads additional components — specifically, a rogue antivirus (TROJ_FAKEALRT) variant that displays fake warnings of a malware infection. It attempts to trick the victim into buying a fake antivirus program to eliminate the malware which is supposedly affecting the system. This obviously leaves the victim with a piece of software that was never necessary in the first place, and less money.
Users are now protected from this attack by the Trend Micro Smart Protection Network.
The recent Russia-Georgia conflict caused a worldwide stir as Russian troops reportedly invaded certain areas of Georgia, injuring numerous civilians. The said invasion was later concluded, with Russia withdrawing their troops from Georgian soil.
News items in spam such as this is one of the “facades of choice” by malware authors, promising information on recent events to entice users to click on malicious links. Just this month, fake news alerts purporting to be sent by CNN were repeatedly used by spammers and malware authors to distribute their handiwork:
- al Qaeda News Spam: A Malware Diversionary Tactic
- Another al Qaeda News Spam, Now on Video
- Phishers Play the Olympics
- New Trojan Bait: CNN Videos
- More Fake News, More Malicious CNN Spam
- Scammers Try Their Luck (Again) on The Olympics
- Spam with an Identity Crisis
Users should exercise caution when opening their email.