More than 10 years ago, email worms like Bagle started spreading themselves in password protected archives, e.g.ZIP archives. The password needed to unlock the archive was mentioned as part of the email. A scam that has rarely been seen since and that is considered being an old trick has now returned.
We identified a spam campaign concerning phishing attempts. This campaign currently mainly targets Italian users and in particularly the customers of the bank called Gruppo bancario Iccrea. The purpose of this campaign is to steal credit card information.
The email has an attachment: a .HTML document which, when opened, asks for a password – the one given in the email text. Note that the window asking for the password is in English language, not in Italian any more.
The password is used to decode the payload containing the HTML code of the phishing campaign:
If the entered password is correct, the HTML code contained in the variable called “orig” is decoded and the phishing website is displayed:
The author of this campaign uses the fact that a password is commonly linked to the lexical field of security: for some people, if something is protected by a password, it is secure. The attackers use this perception to deceive the email readers.
An article on myonlinesecurity.co.uk reported about a similar campaign, involving malware attachments. The attackers use social engineering techniques to lure possible victims into downloading and installing malware.
In addition to this social engineering aspect, the attackers use technical tricks as well. The attachment, a .RAR archive file, is protected by the password mentioned in the email. Password-protected archives cannot be scanned by security suites and therefore can bypass the email security gateways unchecked, though packed with malware. Scanning the content would require automatic unpacking, thus breaking the password protection. This is something no normal email client should do.
Manually unpacking the .RAR archive reveals the malicious content: a file named NIKON-2013564-JPEG.scr, which is detected as Trojan.GenericKD.1604689 by G Data products.
The file extension .SCR informs Windows about this file being an executable. The second extension hint, JPEG, preceding the real extension, makes the user believe he is handling a picture.
By default, Windows does not show the real file extension, so a user would originally not see .scr and the second extension JPEG can be used to cheat. Another level of disguise is the file icon. The file’s icon shows a PDF document.
The attached executable extracts a second binary, called viewer_update.exe, and executes it. This .EXE connects to the Internet and downloads further files:
These websites seem to be compromised legitimate websites. The file downloaded, 13003UKc.ton, is an encrypted driver which we detect as Generic.Trojan.Agent.BK. After its download, the encrypted driver is decrypted by viewer_update.exe and drops ZeuS malware with Necurs rootkit capabilities onto the victim’s PC. G Data detects this particular sample as Rootkit.Necurs.QC.
Packing malware into password-protected archives and therefore bypassing malware scanners monitoring the email programs is nothing entirely new. It became popular with the Bagle family back in 2003. The purpose by that time was to hinder automatic analysis of the files. But, actually,it didn't take too long to adopt the relevant systems back in 2003. It is rather surprising that attackers start following this strategy again, because it is time consuming for them to realize – compared to other spam methods used. And it doesn't disturb analyses at all. The only effect is that the malicious files are detected a bit later.
As email programs and their standard security measures have their problems with this kind of attack, it is even more important to rely on a comprehensive AV product and first of all, understand the nature of the attack to avoid being trapped!