This “new” threat could be an extension of the spamming and malware operation we also blogged about last December — the same social engineering technique and fake websites that look similar, and the same uniform payloads.
New Years-themed e-cards are the bait — the following spammed messages inform recipients that someone has sent them a card which could be viewed using a given URL:
Figure 1. Sample New Year spam messages
Clicking on the link would redirect victims to the following page [pictured below], and a malware infection soon follows if you agree to download and execute the file card.exe (not a card, of course, but a malware Trojan):
Figure 2. The link opens to a somewhat genuine-looking e-card site.
Figure 3. Clicking on the links prompts the user to download a file.
The file is malicious and is detected by Trend Micro as TROJ_WALEDAC.AC.
Various new WADELAC worm variants have also been seen in the wild by Trend Micro researchers, also distributed through the same methods.
WADELAC variants, interestingly, are being associated with previous Storm activities by security researchers due to some observed similarities between the two. Shadowserver listed several similarities, such as the constant generation of new domains and change in IP addresses. Another is the use of the Storm-classic technique — spamming through email and using timely themes such as the holidays, as well as the file names of the downloaded malware itself (ecard.exe and postcard.exe).
The Trend Micro Smart Protection Network already blocks the spammed message and detects the malicious files.