Another banking Trojan is now being distributed as part of the currently observed spam campaign: Bebloh. This is known for being sent as an email attachment – precisely as it is in the latest instance. It is possible that copycats have jumped onto the first scam, as experts at G DATA SecurityLabs are currently observing two very similar lines of attack running in parallel.
The bulk of the email is still designed as if it were an invoice from a well-known company or banking information. However, it is obvious that the list of top companies involved has expanded. In addition to telecommunications companies and banks, as previously reported, new well-known decoys have now been added to the two scams:
This scam, which is now well-known, continues to be active, and has been since mid-May. Over the last two weekends, G DATA experts have seen a drop in the number of people visiting infected websites in this case, and in the infections detected by BankGuard. Possible causes might be that either the attackers are also treating themselves to a break at the weekend, or that the campaign is mainly directed at business customers, who do not read work emails at the weekend.
The following graphic shows examples in the latest case of what effect the individual schemes are having. The number of websites blocked by G DATA that have been visited is shown. Waves can clearly be seen, with peaks at the start of a new phase.
Not only are there more emails being circulated now that try to get the user to click on a link and infect them – they also contain the supposed invoice itself as an email attachment – generally as a .zip file. It is not new that Bebloh is being distributed as an attachment; however, it is conspicuous that the emails containing attachments are so similar to those in the first scam in terms of design.
Such spam emails are often exposed by simple things, even when the visual design is highly reminiscent of the original.
Whether the new scam now involves copycats, or whether perhaps the senders of the email URL scheme are offering their services to other interested parties who have their own malware, is not clear. However, it seems unlikely that the attackers behind the first scam have drawn up the second scam for their own purposes. Although both sets of malware currently being distributed concern banking Trojans, Swatbanker and Bebloh are very different.
While compiling this article, experts at G DATA SecurityLabs have also discovered an English-language version of this email campaign! Based on the scheme already known about, these are emails containing URLs behind which the Swatbanker malware is lurking.