TrendLabsSM engineers recently got hold of a spam posing as an IT notification email. The spam’s subject, “Setting for your mailbox are changed,” could leave recipients feeling either doubtful or disturbed, along with the From field sporting their respective companies’ email addresses. It then went on to convince the recipients to open and read the contents of the .PDF file attachment (doc.pdf detected by Trend Micro as TROJ_PIDIEF.ZAC) before they update their email settings.
Figure 1. Sample fake IT notification spam
The .PDF file was more than just a normal file, however. Analysis revealed that the attachment carried a malicious script (batscript.vbs aka VBS_EMOTI.A), which is executed using Adobe Reader’s /launch functionality in order to drop and run a malicious executable file (game.exe aka WORM_EMOTI.A). /launch is a legitimate Adobe Reader and Acrobat feature that allows a portable document author to attach an .EXE file to a document. This file is automatically executed whenever the document is opened. The .EXE file in this attack carried a rootkit (bp.sys aka RTKT_EMOTI.A) that hides malicious activities from users and attempts to connect to URLs from which other malicious files may be downloaded onto affected systems.
TrendLabs engineers also received other spam samples with malicious .PDF file attachments (detected as TROJ_KATUSHA.F) that used the same social engineering tactic.
A Recurring Email Threat
This is not the first time such a campaign was spotted in the wild. In fact, just last March, a spam purporting to be a mail service notification email was found targeting various antivirus companies. This spam also came with a malicious file attachment detected as TROJ_FAKEAV.EAO. Five months earlier, a slightly modified ZBOT spam campaign with a malicious .ZIP file attachment detected as TROJ_FAKEREAN.CF also made the rounds. If that was not enough, this Trojan also downloaded another malicious file detected as TROJ_FAKEREAN.BI.
Figure 2. Fake IT notification spam infection diagram
Misusing Software Features
Adobe Reader and Acrobat’s /launch feature was also recently used to carry and propagate botnet malware via spam purporting to come from Royal Mail, a U.K.-based mail service. The spam sported a malicious .PDF file (detected as TROJ_PIDIEF.UTA) that claimed to be a delivery notice. Unaware users who were tricked into opening the said file ended up with TSPY_ZBOT.NCT-infected systems.
The Royal Mail and recent IT notification spam attacks highlight how cybercriminals misuse inherent software features for their malicious schemes. Unfortunately, Adobe is not the only software company that has suffered this fate. We have seen Microsoft Office’s macro functionality used by cybercriminals to wreak havoc as well in the past with the Melissa worm.
User Risks and Exposure
Cybercriminals continue to use .PDF files and email as means to prey on unwitting users. Their email messages have also grown a little more sophisticated and packed such convincing power that even the most prudent users believed them and took action. Adding timeliness and newsworthiness to their formula has no doubt been pushing their recent attacks’ success.
The Messaging Anti-Abuse Working Group (MAAWG) conducted a survey on email security practices and found that 46 percent of the total number of users intentionally opened spam. As a rule, users are strongly advised not to open emails tagged as "spam" or to click links on suspicious-looking messages.
Trend Micro Solutions and Recommendations
Trend Micro™ Smart Protection Network™ delivers security infrastructure that is smarter than conventional approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network™ combines unique in-the-cloud reputation technologies with patent-pending threat correlation technology to immediately and automatically protect your information wherever you connect.
In this attack, Smart Protection Network protects Trend Micro product users by preventing spammed messages from even reaching their inboxes via the email reputation service. Web reputation service also prevents user access to malicious sites whose links are embedded in spam. Finally, file reputation service detects and prevents the execution of malicious files such as TROJ_PIDIEF.ZAC.
The following post at the TrendLabs Malware Blog discusses this threat: