A targeted spam wave is infecting Windows computers with a backdoor capable of stealing sensitive corporate information from medium and small-sized businesses.
Bitdefender antispam researchers have identified a couple of thousand emails containing .pub attachments posing as orders and invoices for products. The email senders impersonate employees from small and medium-sized businesses from the UK and China, as well as other legitimate companies.
The .pub file contains a script (VBScript) that embeds a URL acting as a remote host. From this location, the malware downloads a self-extracting cabinet file containing an AutoIt script, a tool to run the script and an AES-256 encrypted file. The cyphered file can be decrypted using a key derived from the MD5 of a text written in the AutoIt file, antimalware researchers noticed.
Fig. 1 Deobfuscated VBScript
Fig. 2 Decoded AutoIt script with MD5 for decryption key
Once the file is decrypted and installed, attackers have backdoor access and can control resources on the compromised computer. The malware can memorize keystrokes to record passwords and usernames, steal login information from browsers or emails, view system data and take other intrusive actions.
“We have reason to believe that the stack originates from Saudi Arabia and the Czech Republic,” Miron adds.
Bitdefender detects and blocks the .pub file as W97M.Downloader.EGF and the backdoor paypload asGeneric.Malware.SFLl.545292C0.
MD5: 8bcaf480f97eb43d3bed8fcc7bc129a4
To stay protected from this type of threats, Bitdefender advises companies to install a robust anti-spam filter. Users should avoid opening and downloading suspicious email attachments from unsolicited sources.
Source:https://www.hotforsecurity.com/