A new and extremely interesting spam campaign aimed at Brazilian computer users is making its rounds these days. Disguised as a mail message carrying harmless picture attachments, the spam email actually leads the user to an assortment of Banker Trojans.
The alleged pictures are, in fact, links pointing to malware
A rough translation of the text looks like this:
Good evening, at this moment, a father is proud of his daughter. Well, I don’t believe he will anymore after you’ve seen these pictures. I’m just forwarding them.
There is a girl on the web who betrayed her boyfriend and posted online pictures taken during intimate moments.
(eight alleged pictures listed here)
Comment: the father is the owner of a network of bakeries.
In order to succeed, the attacker counts on the users’ curiosity. The message seems to feature eight attachments impersonating pictures. To add extra credibility, the attacker included nifty touches of authenticity, such as the “file” size displayed after every “image”. Should the victim choose to click on any of the “pictures”, they get redirected through a network of compromised websites to an infected .cpl file
The picture is in fact a Control Panel extension.
Detected as Trojan.Downloader. JNXT, this control panel item starts fetching extra malware from a variety of websites if opened. The downloader creates a folder called “systeam” in the root of the OS partition, populates it with plethora of malware and then starts executing batch files to start all these malicious binaries.
Most of the downloaded files are typical Banker Trojans written in Delphi and able to play as man-in-the middle during banking translations. There are also two variants of the ldPinch Trojan that snatches sensitive information from the infected computer, such as operating system, configuration, and the associated passwords for a plethora of applications including mail clients, FTP utilities, instant messenger clients and RAS services.
Some of the malware running on the system as detected during a 60-second QuickScan
Well, if you’ve already received this message and did anything but trash it, you should run a 60-sec Quick Scan just to make sure that you didn’t catch the bugs. If you’re already a BitDefender customer, then you have nothing to worry, as we’ve been detecting these pieces of malware for a while with a generic routine. Always remember that security trumps curiosity: if you stumble upon links in messages coming from unknown people, then you should proceed with care.