The Latest in IT Security

Downloader Targets Down Under

23
Jan
2013

At the time of this blog post, and for the past five days, we have noticed an increase in spam containing malware that targets Australians. The attackers behind this malicious spam campaign appear to have no specific target in mind other than compromising a large base in Australia for reasons still unknown. Symantec Security Response has observed two separate versions of this campaign purporting to be from Australian organizations and targeting Australian users.

In this following example, an email pretends to be from the “Australian Taxation Office” with the subject line “Tax Agent Report – Delayed Tax Returns” and contains a ‘Tax Report.zip’ attachment file. Inside the zip file is a TaxReport.xls.exe malicious executable file.
 

Figure 1. Downloader.Dromedan, malicious email spoofs Australian Taxation Office
 

In another example, an email pretends to be from an Australian airline with the subject line “Check-in Details” and contains a Check-in-Details.zip attachment file. Inside the zip file is a ‘check-in details.pdf.exe’ malicious executable file.
 

Figure 2. Downloader.Dromedan, malicious email spoofs Australian airline
 

Both email attachments contain the exact same malware and, once executed, the malware will connect to the following command-and-control (C&C) servers:

  • linebench.ru/image.php
  • headart.pl/image.php
  • iprice.pl/image.php
  • dyndin.ru/image.php
  • dudebox.pl/image.php

This malware is designed to download and execute additional malicious files onto the compromised machine. Symantec has protections in place for these attacks and detects them as Downloader.Dromedan.

As always, we recommend users exercise caution when opening email attachments. If a suspicious email originates from an organization that you do not have any personal business dealings with, it should be safely assumed that these emails are potentially malicious and should not be opened.

If you doubt the authenticity of an email, you can always directly visit the Web page of these organizations and contact them for information. Most organizations fall victim to spammers and scammers, and usually have a way to report abuse on their websites.

Leave a reply


Categories

THURSDAY, MARCH 28, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments