Server upgrade spam redux

Filed Under: Malware, SophosLabs, Spam

Two days ago my colleague Pob blogged about a run of  high-volume server upgrade spam with a link to a Zbot executable. Today a similar campaign has shown up at our spamtraps, this time with the malware attached instead of linked.  The spam idea is similar, but is of note because the domain of the recipient is liberally sprinkled throughout the message. This gives a false sense of legitimacy to the spam messages.

The email is as follows:

Subject: A new settings file for the address@domain has just be released

Dear use of the domain mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox address@domain settings were changed. In order to apply the new set of settings open zip attached file.

Best regards, domain Technical Support.

Unlike the previously mentioned malware campaign, where the "From" address is system-administrator@domain, this time the "From" name is randomized and the "From" address is identical to the recipient address.

The volume of this campaign is quite high as this campaign accounts for the majority of the attached malware we currently monitor:

Detection-wise, Sophos anti-spam products proactively detected the spam campaign. On the anti-virus side, the attached file install.zip is also proactively detected as Mal/EncPk-KP.

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s