The Latest in IT Security

US Securities and Exchange Commission Spam Leads to Exploit and Stealer

02
Mar
2012

When one of our colleagues in Malta received an email in his GMail inbox that purports to originate from the U.S. Securities and Exchange Commission (SEC), he didn’t think twice about sending it over to the AV Labs for analysis. Take a look:

click to enlarge

The said spam has the following details:

From: “Homer Hutchinson”
Subject: Notification of securities investigation against your company.
Message body:
Dear customer, Securities and Exchange Commission Whistleblower office has received complaint about possible infringement at your company, including Unregistered securities offering, involving such financial products as swaps.

Failure to provide a reply to this complaint within 28 day period will result in Securities and Exchange Commission investigation against your company. You can have access to the complaint details in U.S. Securities and Exchange Commission Tips, Complaints, and Referrals portal under the following link:

Complaint details

{SEC physical address}

Clicking the link leads users to ftp(dot)psimpresores(dot)com(dot)ar/QH1r1tTd/index(dot)html, which then redirects them to trucktumble(dot)com/search(dot)php?page=d44175c6da768b70.

click to enlarge

This page contains a Blackhole exploit kit that targets the following vulnerabilities:

  • CVE-2010-0188, an old Adobe Reader and Acrobat vulnerability (patch already available)
  • CVE-2010-1885, an old Microsoft Windows Help and Support vulnerability (patch already available)

Based on the deobfuscated script, this exploit can also target other vulnerabilities on Java, Adobe Flash, and Windows Media Player.

Once vulnerabilities of these software were successfully exploited, users are then led to the website, trucktumble(dot)com/content/ap2(dot)php?f=e0c3a, where the file about.exe can be downloaded from.

click to enlarge

click to enlarge

about.exe was found to be a variant of ZBOT, that infamous information stealer, and we detect it as Win32.Malware!Drop. Only 12 AV vendors detect the variant as of this writing.

This isn’t the first time the trucktumble(dot)com domain is involved in social engineering spam scams such as this one. As such, we ask you, dear Reader to please be careful in handling emails in your inbox that are actually spam yet your filter missed to catch (Hey, it happens). Also, please make sure that all software installed on your computers are updates or patched.

***

While we’re on topic, GFI Software conducted a survey last month on how businesses cope up with spam. In relation to this, we have published a write-up on our Talk Tech to Me blog discussing the analysis of what we found out, including the actual survey results and an infographic to better illustrate the statistics. Do check them out:

Jovi Umawing (Thanks to Jesmond and to the AV Labs team)

Leave a reply


Categories

THURSDAY, MARCH 28, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments