Super Tuesday and Anti-Putin Emails Serve Malware

Before, after and during an important election campaign cybercriminals start to send out emails to unsuspecting internauts with the purpose of spreading their malicious operations. Security experts found that American’s are targeted by a Super Tuesday malware attack and Russians by one that relies on anti-Putin demonstrations.

Sophos researchers found an email that contained a file called “Super_Tuesday_2012_ voting_information.exe” which allegedly holds information regarding the vote that helps US political parties elect their candidate for presidency.

In reality, once executed, the file downloads other malware onto the affected system along with a legitimate PDF file that acts as a decoy.

Identified by Sophos as Troj/ST2012V-A, the Trojan communicates with a Russian website from which it receives its commands.

The spam campaign that targets Russian users was found by Symantec. The emails bear subjects such as “All to demonstration”, “Instructions what to do”, or “Meeting for the equal elections” and purport to contain information regarding anti-Putin protests that are about to take place.

It’s well known that Vladimir Putin’s election as president of Russia raised a lot of controversy and many citizens decided to rally against the regime. This is why the cybercriminals that launched the campaign considered this topic to be of immense success.

The Trojan that comes with this email was detected as Trojan.Dropper, which contains a macro that drops another malicious element called Trojan.Gen. As in the previous case, a legitimate document containing a protests map is displayed to avoid raising any suspicion.

This Trojan is highly dangerous because it’s designed to search for 7z, doc, exe, rar, xls, zip and msc files and completely erase them from the hard drive.

The malware also connects to an IP address that serves another Trojan known as Smoaler. After the aforementioned file types are located and deleted, the threat runs a piece of code that crashes the computer through a call to the RtlSetProcessIsCritical API.

Users are advised to beware of such emails.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.