Spoofed eCard site infecting victims with Cimuz

Or perhaps the more festive title “Jingle All the Way ( …to a Cimuz infection)” ?

Overnight SophosLabs identified a malicious eCard spam campaign that was spoofing the legitimate AmericanGreetings.com service. The spam messages used in the campaign enticed recipients into clicking on the embedded link to view their card.

[eCard spam]

Anyone who clicked on the link would not see their eCard, but instead a message informing them that an additional ActiveX control is required to view it.

[Spoofed eCard site]

Within the source of this page is the culprit – a malicious embedded object pointing a installation package hosted on the malicious domain.

[Source for malicious object]

If the ActiveX control installation is authorised, the CAB package is retrieved and the file update.exe is extracted and executed (detection added as Troj/Cimuz-CS). This file proceeds to infect the victim with Cimuz.

  • flashupdate.exe is written to the temporary folder and executed
  • an attempt is made to connect to remote servers and download additional files
  • at the time of writing, one of these files was available, and contained instructions of an additional URL to download from

Thankfully, the flashupdate.exe file is pro-actively detected as Mal/Cimuz-D:

[Cimuz-D proactive detection]

The Cimuz family of Trojans is no stranger to this blog [1,2,3], but in recent months it has been pretty quiet. Clearly the group behind this latest attack are in need of a little financial top-up over the Christmas period. Don’t help them, follow the usual rules, especially over Christmas and New Year, when social engineering tricks may work that little too easily.