Sophos Cloud Optix
SophosLabs is intercepting a wave of malicious emails that have been spammed out around the world, luring unsuspecting internet users into clicking on a malicious attachment.
The emails all claim to be related to a rejected wire transfer. Although most savvy computer users would realise that unsolicited email is unlikely to be legitimate, there are some who might be vulnerable or merely curious enough to click on the HTML attachment, not realising that it can cause problems for their PC.
Here’s a typical example of an email we have intercepted.
The subject lines used in the malicious spam campaign can vary, but are all related to a “Wire Transfer Confirmation” (some give a reference number in an attempt to make the message appear more official).
Here is a small selection of the subject lines we saw at SophosLabs during the space of just one minute.
Attached to each email is a file called Wire_AMBA01-Rejected.htm, which Sophos products detect as Troj/JSAgent-CK.
To the casual observer, the file may seem harmless enough – displaying a message saying
"Please wait a moment. You will be forwarded...".
But it’s the next section of the HTML code which is interesting. A script deciphers a sequence of numbers into code which the computer then executes.
SophosLabs researchers have tools which help them deobfuscate code like this, to find out what it’s really planning to do..
If your computer isn’t properly protected, you will be redirected to a hacked Russian website which is playing host to the Blackhole exploit kit – within seconds your computer will most likely be infected by malware.
A few days ago we saw an attack in a similar vein, with a fake Facebook photo tag notification using the Blackhole kit to exploit computers.
As ever, keep your security up-to-date. That not only means running an up-to-date anti-virus, but also ensuring that you have the latest operating system and application patches in place.
Finally, remember to have a spoonful of common sense each morning – and consign unwanted, unsolicited emails to the trash can rather than clicking on any links or attachments that they may contain.
Wire money neon sign image, courtesy of Shutterstock.
Nice write up Graham. Very informative and accurate. I was especially impressed with the analysis of the javascript. You sir are a true champion for those of us who are not as savy in security related matters.
great read and is the site hosting the bh exploit been hacked and been exploited or is just been hosted and some kind of bullet proof hosting.
I also seen a fb application the otherday that directs victims to a website infected with the new orange peel exploit pack.
They need to target more of these so called bulletproof hosting.
Don’t you need to tell us why you “obfuscated” the FROM line in the example you showed? It could be important to know especially if it is taken from our contact list or is a major bank or whatever. Thanks.
I’m a bit confused.
First, I didn’t realise that AV could detect problems in .HTM / .HTML files rather than in executable.
Second, am I correct to think that the document.write loads the iframe from the ru site?
Thanks!
To your first question, "Yes."
Anti-virus software (or anti-malware as it's probably better to describe it these days, lest pedants and purists point out that it no longer blocks only viruses 🙂 needs to look in all sorts of places these days.
Not just EXEs, but all sorts of file – Java, JavaScript, HTML, DOC, PDF and many more besides – may contain actively malicious content, or some sort of trigger component which makes your computer go and fetch malicious content without your consent or approval.
To your second question, "Yes."
Or, "Sort of yes". The document.write() injects the IFRAME into the currently-rendering web page, where your browser consumes and processes it _as if it had been in the web page from the start_. Since the IFRAME references a URL on the .ru site, content gets slurped in from there by your browser.
Strictly speaking, therefore, the document.write() command inside the browser's JavaScript engine doesn't directly trigger the download. But it certainly causes it to happen, albeit after the document.write() has done its job.
HtH.
I have gotten two of these, both following a request to transfer funds from my bank to my credit union account at a different location. I, of course did not click the links. It shows up in my spam email account. But find it quite ironic that it happened both times within a day of my transfer request stated above. Do I need to alert my banking facilities???