Wiretapping – Take two.

Just over a week ago we blogged about a rather flawed attempt at a Trojan spamming using a wiretapping theme as the social engineering to lure the recipient into running the malware.

Well, on Saturday, it appears they had another go, fixing some of the previous errors. Once again the spammed file was a password-protected RAR file, with the password in the message body. Virtually identical social engineering was used – the messages masqueraded as communications from a private detective hired to spy on the recipient.

The emails claim that a private detective is wiretapping your telephone conversations

Detection for the spammed out malware was added to Sophos products as Troj/Dorf-AH. When executed, this Trojan drops another downloading component. This component is proactively detected by Sophos as Mal/Dorf-F so any customers who fell for the social engineering would still have been protected.

Running on an unprotected machine several other files were downloaded and executed. The domain from where the files where downloaded is well known to SophosLabs – we have seen it used in a variety of web attacks over the past few weeks (access to the domain will be prevented for customers using Sophos’s web security appliance). Amongst the malicious actions of these other downloaded components, is the display of fake system infection alerts in order to persuade the user to purchase a cleanup product.

[Fake infection alert]

Malware performing this type of trick has been used for a while now to scam money out of victims. There are many examples several of which we have blogged about previously [1,2].