A new spam campaign targeting credit card users irrespective of their bank or country is fresh in the wild. If, usually spam e-mails are extremely annoying and at times money grabbing, this time, the attack seems to be so complicated by multi-layers of malicious scams that it is hard for me to believe that one could find a safe way out once in this malicious maze.
One of the interesting aspects of this story is that the domains used to collect and store malware are hosted on a fast-flux botnet. Since hosting accounts that are used to spread malware are usually taken down within minutes, cyber-criminals sometimes turn to infected computers to host and serve e-threats.
This is how a botnet can spread the word (to be read “send spam”) and deliver the goodies (to be read “malware”) at zero operational costs:
1. The Bait
A spam e-mail designed to make contact with the unwary user to pull him into the labyrinth. The message is meant to be clear: the recipient is tricked into believing that his credit card is one-week overdue and all he needs to do is pay a mere $25 fee in the next 48 hours. And once the sum paid, all his problems go away.
Pic1. Fake credit card overdue notification
2. E-mail archive hiding a Trojan downloader
Attached to the alarmist message that requests the recipient to pay in order to solve a fake credit card problem, there’s the “Customer Details.zip – in fact, the worst part of this spam e-mail and the malware as such. The attachment is an archive that contains a Trojan downloader guised as a PDF file, identified by BitDefender as Gen:Trojan.Heur.FU.bqW@aCga4kmi.
Pic2. Trojan Downloader guised as a PDF file
Once on the system, the Trojan.Downloader injects itself into svchost.exe, immediately connecting to 2 different domains (http://my[removed]u1.ru/trol.exe and http://[removed]sk.exe) where from it starts downloading further malicious code onto the compromised computer, without the user’s knowledge. Among the malware it downloads, there’s a fake AV dropper that carries this story to the next level.
3. The Fake AV dropper
The Fake Av dropper drops and executes a false Windows XP Repair (in C:Documents and SettingsAll UsersApplication Data9mwmdEvozZ8.exe). This bogus antivirus solution comes with a set of version info for a plus of authenticity should the user of the compromised PC try to investigate a bit the nature of the newly installed and run files.
4. The Fake AV as such
The false Windows XP Repair (signed by BitDefender with Trojan.Downloader.Fake.AV.GP) comes with a nice but fake interface which is again meant to add to the fake product credibility and build on the trust the targeted user.
Pic3. The interface of the fake AV “sold” as Windows XP Repair
From this point on, all it takes is for the user to panic and start believing that something is really wrong with the system and click the “activate” button on the right side of the page.
Once the activate button is clicked, the Internet Explorer solves into https://www.win[removed]pair.com/secure/payments – a fraudulent webpage that will determine the user to pay for the so-called disinfection of the system. At this point, the user is sure his system is packed full with malware and is willing to pay what it takes to save all the personal data stored on the compromised PC. Don’t be tricked by the https:// protocol in front of the hyperlink, it will only guarantee you that the information travels safe to the destination – that is, one of the attacker’s servers.
This malware scheme is much more complicated than meets the eye, as it involves a botnet, advanced malware and, on top of that, a fraudulent payment processor connected with other malware-related schemes – an arsenal of assets usually accessible only to organized cyber-criminals. If you decide to make the payment, not only that you instantly lose the due sum, but you also hand over credit card information to an untrusted operator who may further use it, of course, without your authorization. It is like signing a blank check to a fraudster.
So, please, don’t let yourselves be lured by “fake” credit card problems or meal invitations, that happened only last week; when you find such e-mails in your inbox, call your bank advisor or, better yet, run to the bank and make sure everything is ok with your money.
This article is based on the technical information provided courtesy of Tiberius Axinte, BitDefender Virus Analyst.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.