Well, these scammers are busy…
Less than 24 hours after issuing a warning of new variations and tactics being used in the one-click, plug-and-play malware campaign that we have been monitoring the past several months, we blocked a number of new messages that spoofed Amazon, ImageShack and Gawab. All of the messages used the plug-n-play malware distribution architecture.
Interestingly, Friday’s messages reverted back to using the older exploit set that has been in use for the past couple months.
There is a new twist in these messages however… The scammers are using this opportunity to perform the drive-by download as usual, but instead of using the redirection page to drop you on a Canadian Pharmacy site, the redirection instructs the browser to download an .exe (adobe_flash_install.exe), which as of this morning, was not detected by any AV engines.
Below is the VT analysis of this malware:
Also, just in case the browser refresh directive doesn’t work, the redirect page when loaded just looks like a blank page with a single image loaded:
(The above link is safe to view. The spammers are using a legitimate image hosted on Coca-Cola’s website.)
Clicking on the image on the redirect page will also download the malicious .exe.
All this is in addition to the usual litany of exploits typically employed by these campaigns; they are using a couple different versions this time. None of these variations are detected by more than a handful of AV engines. The malicious payloads include a couple of signature-distinct executables, which most likely are two instances of the same Trojan that has simply been mutated:
Additionally there is the usual, freshly mutated PDF exploit:
And of course there are the other exploits that usually accompany these campaigns, but they do not appear to have changed much.