Simply Security - News, Views, and Opinions from Trend Micro

Posted on April 3rd, 2012 in Cybercrime, Trend Labs by TrendLabs | Be the first to comment |

In an ironic twist of events, the news about the malicious email campaign that leverages political issues related to Tibet is now being used in a separate campaign resulting to malware infection.

So far, we have encountered two email campaigns using this particular social engineering technique. The first one, according to reports, has a spoofed sender that mimics Alienvault. In the said message, the specific recipients are warned about the malicious campaign reported on the said website. To know more about this incident, users are instructed to click the link included in the message. However, this is a just coy to mislead users to a website that downloads JAVA_RHINO.AE.

Once executed, this malicious JavaScript file exploits a vulnerability in the Java Runtime Environment to drop another malware. In another twist in this story, JAVA_RHINO.AE checks the OS running on the system before dropping the said file. If the system runs on Windows OS, the malware drops TROJ_RHINO.AE. However, if the recipient is using a Mac OS enabled system, JAVA_RHINO.AE then drops OSX_RHINO.AE. Based on our analyses, both malware connect to specific sites to send and receive information. In particular, TROJ_RHINO.AE sends information like username and hostname.

The second campaign is disguised as an email from a prominent Tibetan figure based in New York City. It is also a warning email, in which recipients are advised to ignore a certain email circulating using his name. The said spoofed email contains an attachment, a .DOC file named TenTips.doc. Similar to the email sample mentioned above, instead of helping users to avoid threats, it is actually a malicious file detected as TROJ_ARTIEF.FQ. It is an exploit file that targets the RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333) to drop the file BKDR_VISEL.FQ, which performs specific commands coming from a remote user.

We are currently investigating if these two campaigns are related or if both were orchestrated by the same group(s). It is possible, however, that two separate campaigns are using the same news item as a social engineering hook.

Cybercriminals have a lot of social engineering tricks and leveraging on security warnings is just one of these. Previously we have seen other threats posing as warning messages, such as the spammed wall posts that leads to a fake Facebook account verification site. Users who clicked the link end up spamming the same wall post to his/her contacts. There is also spammed messages masked as an email notification from Apple, which lead to a phishing site that tricks users to divulge their iTunes usernames and passwords.

Email messages, unfortunately, are still popular and effective infection vectors in today’s threat landscape. Users must be cautious and not readily click links from email messages, specially those from unknown senders. For those that spoof well-known brands, news organizations, and individuals, users must make it a habit to verify the validity of these messages. Better yet, bookmark credible news sites to check out the latest security news.

Trend Micro protects users from this attack via Trend Micro™ Smart Protection Network™ that detects and deletes all the related malware.

Post from: TrendLabs | Malware Blog – by Trend Micro

News of Malicious Email Campaign Used As Social Engineering Bait