Trend Micro received two spoofed emails that redirect users
to a fake Adobe Flash Player update. These messages use different approaches to
lure users into downloading the malicious file update_flash_player.exe
(detected as TSPY_FAREIT.SMC).
The first email is disguised as a WebEx email containing an
HTM attachment. Once users execute this attachment, they are lead to a
malicious site hosting TSPY_FAREIT.SMC. Employees may be trick into opening
this as it appears to be an alert coming from a business tool they often use.
The second sample, on the other hand, is a spoofed PayPal email that features
transaction details. Curious users who click these details are then directed to
the webpage hosting the rogue Flash update file.
The said site in question is a spoofed Adobe Flash Player
update. To the undiscerning eye, this site may pass off as the real Adobe Flash
Player website as it is an exact copy of the legitimate Adobe site. But looking
closer into the site’s address, reveals that it is everything but authentic.
Also, as threat engineer Roddell Santos observed, the creators of these spoofed
sites went to great lengths to imitate the drop down menu of the real Flash
page.
Once executed, TSPY_FAREIT.SMC drops a variant of the
infamous banking malware ZeuS/ZBOT, specificallyTSPY_ZBOT.AMM and
TSPY_ZBOT.LAG. If you may recall, this malware family is known for its
information theft routines. These variants are specifically crafted to steal
online banking credentials such as usernames, passwords, and other important
account details. These stolen information are then used to initiate transactions
without users knowledge or are peddled in the underground market for the right
price.
Right Platform and Timing Are Everything
Though malicious pages spoofing popular software vendors
like Adobe are not unheard of, the timing of these pages is highly suspicious.
Just recently, Adobe released their update for Flash to customers. The bad guys
used this software release as the right vehicle to deliver ZeuS/ZBOT variants
to unsuspecting users.
The use of WebEx in these spoofed emails is also fishy. WebEx
is a popular business conference/meeting technology in the corporate world. And
we all know that on the average, employees receive 100 emails per day, making
email the top business communication tool. Just a coincidence? We highly doubt
it. We believe that the perpetrators of this threat are likely targeting
businesses and employees.
To avoid downloading ZeuS/ZBOT variants and other malware,
users should always be careful before clicking links that may come via email
messages, private messages (PM) and other form of communication. For
enterprises, it is best to educate users on responsible email communication and
how to be discerning of the messages they receive. To know more, you may refer
to our primer Are Your Business Communications Secure?
Trend Micro Smart Protection Network protects users from this threat by blocking
these spoofed messages. It also blocks access to the fake Adobe sites and
detects and deletes the malware components.
We observed a blackhole exploit kit (BHEK) spam run
mimicking Facebook notification that leads to the site hosting another rogue
Flash Player update that drops ZeuS/ZBOT variants. Also, expect that such spam
runs won’t be fading soon. As senior architecture director Jon Oliver noted,
these attacks are continuing at full speed. As such, users are advised to be
continuously extra careful with clicking links on email messages.
0 comments:
Post a Comment