Over the past month, we have observed several large spam campaigns with malicious HTML attachments. We believe the botnet behind these campaigns is Cutwail. Here is data we collected, starting from the first day of 2012, illustrating spikes of spam with malicious HTML attachments:
Attaching an HTML file to an email is a tactic we have seen used in phishing. But recently, attackers have spammed out large volumes of HTML attachments that include malicious JavaScript. Here is an example we received a few days ago:
In the image above, we opened message with the attached .HTM file using the Mozilla Thunderbird email client. Although Thunderbird rendered the HTML attachment, fortunately its default settings prevented the malicious JavaScript in the HTML source code from running. The Thunderbird user needs to click the attachment or open the HTML file in a browser for the JavaScript to run.
The image below is another example of a more recent spam campaign. This particular message claims to be an invoice from a random company where an .HTM file is attached pretending to be an invoice file. Here, the sample spam was opened using Microsoft Outlook and the attachment just shows the icon of the default browser of the system. Again, in order for the malicious JavaScript to execute, the user needs to click the attachment to fire up a browser.
So what happens if the unsuspecting user opens the HTML attachment? Here is the HTML source code:
The first half of the HTML code is the benign part. It provides the “You are redirecting.” text in the browser title bar and prints “Please wait. Loading..” in the browser – the cybercriminal perhaps just being courteous. The second and malicious part is the script tag where the obfuscated JavaScript resides. The JavaScript writes an iframe that loads a webpage in the same browser window. But this is not an ordinary webpage; it contains code that attempts to exploit multiple vulnerabilities in the browser and its plugin. In our test machine, the landing page successfully exploited our browser’s default PDF reader with the Libtiff integer overflow in Adobe Reader vulnerability. The exploit ended up downloading and installing malware in our test computer, which at the time of writing, was a data-stealing Trojan with the antivirus detection name Cridex.
The landing page that contains the exploit code is a kit used by cybercriminals particularly for this spam campaign, the Phoenix Exploit kit. This exploit kit is readily available for cybercriminals to buy and use, all they need is their own webserver that can run PHP server scripts. The image shown below is the screenshot of the actual server’s “Phoenix Exploit’s Kit” admin page. The “—” referrer in the statistics suggests that most visitors were NOT coming from another website but from the HTML files that the cybercriminals spammed out. It also shows over 4000 visitors, 15% of whom were successfully exploited.
Spammers tend to recycle spam campaign themes, sometimes adding different twists. So we expect more of these types of HTML attachment campaigns to come in the future.
M86 MailMarshal customers are protected against these spam campaigns, and M86 Secure Web Gateway customers are protected against the Phoenix Exploit kit.
Thanks to Daniel Chechik for the additional analysis and insight on the Phoenix kit.
Leave a reply