Cisco - New Malware-Laced Spam Campaign Hits Corporate Users
HELP NET SECURITY published news on 10th February, 2015 quoting security firm Cisco as "A well designed and extremely genuine-looking spam email campaign is currently targeting corporate users across the world eventually leading the victims to a difficult-to-detect malware which downloads more malicious programs on the computer of the user."
The email is apparently sent by Volume Licensing Service Center of Microsoft (VLSC) and the potential victims are informed that they have received an Open License with Microsoft and they have to register themselves.
Cisco notes that the phishing email looks very similar to the real email sent by Microsoft's VLSC to users and the personalized welcome line will surely trick many recipients to believe that the email is genuine.
The link in the email will direct to true destination if the mouse is hovered over it and it guides to a hijacked WordPress server. Cisco observed that total 4 domains have been employed for hosting the tainted file.
Softpedia.com published news on 9th February, 2015 according to which Martin Nystrom, Senior Manager of Threat Defense at Cisco commented on the malicious campaign saying that the source of the download gives away the rip-off but most Internauts would not detect this because most visible elements look genuine."
The cyber crooks not only have superb social engineering expertise but they look to be good in coding the malware also. The malicious file served is a variant of the Chanitor Trojan downloader.
While analyzing the antivirus detection, it was found to be low as only 9 out of 57 AV solutions were able to recognize it as a potential threat.
Researchers of Zscaler named it Chanitor and it has been observed in January to distribute the Vawtrak Trojan but it can also be used to guide other kind of malware also.
Security researchers of Cisco observe that this malware exemplifies three trends: firstly, attackers are targeting corporate users with improved phishing techniques. Secondly, they are making sandbox dodging in their malware because of which skilled investigators are required and a rich security toolbox to identify it. And lastly, Tor is growing more commonplace as means of c2 and exfiltration.