A new malware distribution campaign that is distributed via email, utilising a smaller-than-life image present in the body of the email has already claimed a lot of victims.
The image in the malware is illegible and cannot be read even when enlarged. Additionally, the image itself is setup with a URL and, when clicked, opens the browser and downloads the alleged ‘payment’ as a zip file. The zip file contains malware that is initialised when extracted and infects the user’s PC.
The most dangerous part of this whole process is the user not being prompted before the download begins. Should the user not have antimalware software installed, or should their solution be outdated, this will indeed reap havoc on the now infected system.
Examples:
Email Received
File Downloaded
As a test, we ran the file through malware analysis and found the analysis to conclude that it is definitely not a payment document as originally implied by the email but clearly malware.
The malware is configured to perform the following tasks highlighted in the below risk assessment:
It does this through the following process:
- Zip extracted – malware run.
- The malware initialises a task using trusted Microsoft components and commands. Cmd.exe = Microsoft Command Prompt.
- The task references two executables, A.exe and B.exe
- These executables are told to reference text files a.txt and b.txt respectively, likely to be their own unique scripted tasks and are both malicious and steal user credentials from the system it’s run on.
Both of these executables can be seen checking various application registry entries to discover credentials and configurations for Microsoft Outlook, Windows Mail, Google (Chrome), Yahoo Mail, Firefox and others.
This is especially dangerous because the malware steals configuration settings and all saved passwords stored on the device and has a technique for submitting this information back to the attacker that configured it, meaning that any infected device becomes a treasure trove of usernames and passwords.
Once credentials have been exfiltrated, the malware cleans up after itself and then embeds itself into the system creating a level of persistence that is difficult to deal with through traditional anti-malware solutions.
This type of attack should be considered as extremely dangerous. Should a user with administrative access or access to financial systems be compromised, the attacker could cause unrecoverable harm to an organisation. An individual (private person) has an even lower chance of defending against this type of malware.
One needs to be careful when receiving emails like these as they can spell disaster for any individuals falling prey to the campaign.