Picking up on my last two posts, yesterday Red Condor blocked several more variants in this ongoing wave of deceptively malicious spam. Anti-virus engines are still struggling to detect the malware components of these campaigns. Their continued presence and variation shows the spammers are aware and taking advantage of the situation.
One campaign that caught my attention yesterday used a new template commonly associated with spear-phishing activity. This template used the recipient’s domain to customize the message in a manner similar to the Microsoft Outlook Web Access spoof Red Condor reported earlier this year. In yesterday’s case the campaign used the ruse: “New secret questions were added to your domain.com account,” followed by a call-to-action URL.
Now, before this new trend in spam, anyone could have told you that this was a phishing attempt and that by clicking on the link you would be taken to a website where your webmail login credentials could be stolen. We can no longer make this assumption. In fact, clicking on the URL in this message would take you to a Canadian Pharmacy website.
But why would a spammer go to the effort of crafting a (pretty decent) spear-phishing message, only to drop unsuspecting victims at CPharm page? As I’ve pointed out in previous posts, clicking on the link subjects the user to a stealthy drive-by download before landing on the pharmacy site. This is yet another example of the new dangerous one-click malware install category of spam of recent months.
There were some other interesting variants in yesterday’s wave, including a campaign with the social engineering hook: “SUBJECT: george bush sex scandal,” with the usual link to a compromised host redirector. Another curious sample from today used a spoofed mailing list confirmation. In this sample, clicking on the URL to either confirm or deny subscription to the list landed you in the malware hot-zone.
I detected a new twist in the obfuscated JavaScript (which functions as the malware downloader and is executed via a hidden iframe tag) for this particular bogus sign-up confirmation. I decoded the sample to see if spammers were up to something new.
It turned out they’re using the same code to inject malware as in previous campaigns, only they’ve upgraded their obfuscation technique. The obfuscation still utilizes a two-level “encryption” of the plaintext JS. The difference is that this new wave includes operations on dummy variables and bogus try/catch blocks (among other tricks) to confuse automated methods for cleaning up the obfuscation.
One anti-virus company finally started detecting the obfuscated JS downloader recently. For the interested reader, here are the Virus Total results for the malware components obtained from a sample of this would-be spear-phishing campaign:
Obfuscated JS:
Malicious PDF:
Malicious Java:
The rate of increase of detection for all of these components has been disappointingly flat despite the persistence of these threats, encompassed by millions of spam messages destined for users’ computers.
Like the other campaigns Red Condor has blocked, this latest wave supports my original hypothesis: Scammers will continue to employ every trick in the book to gain control over the user’s system.
I continue to believe that we are witnessing evidence of a significant shift in the underground economy at the heart of the spam game. Spammers are finally starting to grasp the notion that (access to) information is power and that by focusing their efforts on compromising computer resources there is far greater potential for financial payoff.
Kickbacks from affiliate marketing schemes or the sale of compromised webmail accounts is small potatoes compared to auctioning off access to infected machines at Fortune 100 companies, or inside government firewalls.
We’re definitely not in Egypt anymore.
