Security Hero Rotating Header Image

Spanish Spam Abuses Reply-To, Contains Downloader

Spanish Spam Abuses Reply-To, Contains Downloader

This is hardly the first time cybercriminals used Facebook to spread spam and malware. As anti-spammers became vigilant with these techniques, these spammers keep up and think of different ways to spread dangerous links to malicious websites. Sample seen recently uses a revived technique: make the email look like it came from a trustworthy source (in this case Facebook), then insert random email addresses into the Reply-To field.

Facebook spam in Spanish containing malicious links
Figure 1. Facebook spam contains several links, the first one even looks safe to click. Hovering the mouse over the link reveals it is anything but safe.

The result: when a user hits the reply button, the mail will automatically include all the email addresses to the recipients field.

Email window showing the automatically populated To field
Figure 2. Several email addresses automatically populate the To field.

The Spanish text of the email message roughly translates to:

A user of Facebook to send you this message

The photos arrived you that send you before? because me not respondistes bue you the command debuelta by if the doubts are those of the partuza eye q be not enlivened your girlfriend ciao{BLOCKED}.php

Click on the link to view the content

Posted by: I can not say but I know

If you can not see the content properly click here

Clicking on any of the links will summon the following prompt:

Dialogue prompt for download of strangely named file
Figure 3. The file offered is named strangely. Notice the long underscore.

Needless to say, the downloaded file is a malicious component, TROJ_DLOAD.AEY. It leads to a BANKER variants TROJ_BANKER.HIJ, which is now currently being analyzed. BANKER variants are notorious data-stealing malware targeting users with online bank accounts. Good thing Smart Protection Network recognizes threats before they ever arrive to the desktop, eliminating the risks to users who may encounter this spam-malware attack.

Post from: TrendLabs | Malware Blog – by Trend Micro

Spanish Spam Abuses Reply-To, Contains Downloader


Leave a Reply

Powered by WP Hashcash

Spam Protection by WP-SpamFree

Bad Behavior has blocked 425 access attempts in the last 7 days.