Since earlier on today, we have been seeing an ongoing phishing attack against PayPal, and not the usual phishing email enticing the victim to click on a rogue site. Instead, the attackers have spammed out malware within a RAR attachment, using the filename
A variety of other subject lines and message bodies have been seen as well.
Anyone opening the attached archive will be greeted with malware (
rabbits.exe) that once executed will:
adobe.vbsto the temporary folder
- run the script, using
The malicious VB script is a simple Trojan, overwriting the contents of the HOSTS file in order to redirect PayPal related domains to a specific IP address.
Attempting to access any of the domains subsequently will result in actually loading content from the phish site.
Detection for this malware (executable spammed out and the VB script) was included in the alert earlier on today as Troj/Agent-IYU.
To my mind, the social engineering behind this one seems rather obscure. Then again, perhaps there are more rabbit fanciers out there than I imagine…