Sweet rabbits phish login details from PayPal users

Since earlier on today, we have been seeing an ongoing phishing attack against PayPal, and not the usual phishing email enticing the victim to click on a rogue site. Instead, the attackers have spammed out malware within a RAR attachment, using the filename rabbits.rar.

A variety of other subject lines and message bodies have been seen as well.

Anyone opening the attached archive will be greeted with malware (rabbits.exe) that once executed will:

  • write adobe.vbs to the temporary folder
  • run the script, using wscript.exe

The malicious VB script is a simple Trojan, overwriting the contents of the HOSTS file in order to redirect PayPal related domains to a specific IP address.

Attempting to access any of the domains subsequently will result in actually loading content from the phish site.

Detection for this malware (executable spammed out and the VB script) was included in the alert earlier on today as Troj/Agent-IYU.

To my mind, the social engineering behind this one seems rather obscure. Then again, perhaps there are more rabbit fanciers out there than I imagine…