Spam messages claiming to link to an invoice, shopping receipt, airline ticket, or some other type of confirmation document was the predominant mode of malware distribution in April, Solera Networks said.
The campaign began around April 4 and each spam message contained a link to a URL which pointed to a malicious Zip file, Andrew Brandt, director of threat research at Solera Networks, wrote on the ThreatVision Lab blog this week. If the user clicked on the link, the site downloaded a fairly small Zip file which contained the Kuluoz Trojan. The malware appears to hide its nefarious nature by using an innocuous icon resembling an word processing or writing application, such as Microsoft Word or UltraEdit, a notepad-like software.
The message content itself remained relatively static across the campaigns, but the links included in the mail “constantly shift to a long list of Websites” that did not belong to the malware distributor or to business the distributor was pretending to be, Brandt said. In fact, Solera Networks has seen at least 126 separate Web domains used in the campaign since the beginning of April. The URLs followed a consistent naming convention and were typically active for less than a day.
“With so many stolen Web sites available, the malware distributors don’t seem to be all that bothered,” Brandt said. All of the links identified belonged to small businesses, organizations, and individuals.
These sites may be compromised the traditional way, with attackers going after each one, or they may be utilizing mass-break-ins.
The Anti-Phishing Working Group (APWG) found in its latest Global Phishing Survey for the second half of 2012 that attackers were increasingly breaking into Web servers hosting a large number of domains. After uploading the malicious software, the attacker can update the configuration settings so that the malware is associated with every domain served by the Web server, according to the APWG. Approximately 47 percent of all phishing attacks worldwide was used to break-in to Web servers in the second half of 2012, APWG said in its report. In comparison, “we started 2012 with no attacks of this nature,” the APWG said.
“Instead of hacking sites one at a time, the phisher can infect dozens, hundreds, or even thousands of web sites at a time, depending on the server,” according to the report.
These attacks corrupt local navigational infrastructures to misdirect consumers to counterfeit Websites or authentic Websites through phisher-controlled proxies, APWG wrote in its latest Phishing Activity Trends Report for fourth quarter of 2012.
After the user unzips the archive and runs the executable file, the malware opens the default text editor and displays a message indicating the package has not yet been delivered. In the background, the malware rapidly attempts to multiple command-and-control servers, making five to ten attempts per minute.
The tactics are the same, but the malware has changed, Brandt said. In March, spam messages using the same tricks were spreading Cridex (also known as Bublik), which would then download other password stealers on to the infected machine, according to Solera Networks.
Email remains an “effective attack vector for phishing, malware, and spam,” according to the APWG fourth quarter report. The quarter saw an all-time high in the number of brands and legitimated entities targeted by attackers.