Stock spam takes another turn

Earlier this year we reported of a rise in the use of PDF attachments in stock spam [1], and then its subsequent demise [2]. More recently, we reported the use of MP3s by the stock spammers [3]. Today, we have seen yet another twist.

Several spam messages hit our spam traps containing a single URL link – http://<ip_address>/file.php. The link points to an executable. Nothing new there – very Dorf-like.

However, taking a closer look at the executable downloaded from the link we noticed they where not what we might have expected. They were fairly simple files that simply opened a specific URL in your default browser. And the content on that page? Stock spam.

[Screenshot of stock spam shown in browser]

Of course, the actual content hosted at the URL requested by the Trojan could change.

At the time of writing we have seen multiple Trojans all of which request the same URL. Some of the Trojans are encrypted in a similar manner to recent Dorf variants. In fact, the Dorf-link is further confirmed when you browse the page at the root of the IP address in the spam message. You are presented with the ‘Dancing Skeletons’ Halloween-themed social engineering we reported previously [4].

So, clearly the same compromised machine that is being used in Dorf propagation is now being used as part of a stock spam campaign. I wonder what their next trick will be?