AppRiver Warns of Sick Scam Targeting .co.uk TLDs; Email claims blood count indicates recipients may have cancer with attachment that delivers an infection
(M2 PressWIRE Via Acquire Media NewsEdge) AppRiver, the cloud-based email and Web security specialist, today warned of a malicious email campaign targeting people whose email address ends with the .co.uk top level domain (tld). Fred Touchette, senior security analyst for AppRiver explains, Yesterday morning, we began seeing a rather disturbing attempt to get users to click on malicious attachments. This malware campaign was made to look as if it came from The National Institute for Health and Care Excellence which is an offshoot of the Department of Health in the United Kingdom. It claims that the institute received a sample of the recipient's blood, though it doesn't say how or when it came across this sample which should alert people right away that something is amiss, and it goes on to say that after doing a complete blood count test on the sample the results showed very low white blood cell counts and a suspicion of a cancer. This campaign was also only directed at domains with a .co.uk tld suggesting that the targets were all meant to be in the UK and familiar with NICE. It began around 9am GMT, peaking at about 11am in the UK.
To avoid detection, the campaign randomises the name of the signing doctor and utilises three different subject lines:
IMPORTANT: Complete blood count (CBC)result
IMPORTANT: Blood analysis
IMPORTANT: Blood analysis result
The email further instructs the recipient to print out the results and take them to their family doctor, but rather than the results, its a malicious zip file thats attached to the email. The name of the file is CBC_Result_[random alphanumeric string].zip. Inside the archive is a file with a double extension made to look like a PDF file but in actuality is an executable with a PDF icon.
Speaking about the risks of opening the file, Fred adds, If the attachment is unzipped and executed the user may see a quick error window pop up and then disappear on their screen. What they wont see is the downloader then taking control of their PC. It immediately begins checking to see if it is being analysed, by making long sleep calls, and checking to see if it is running virtually or in a debugger. It also makes several duplicate instances of itself just in case someone was attempting to shut down the original process. Next it begins to steal browser cookies and MS Outlook passwords from the system registry. The malware in turn posts this data to a server at 22.214.171.124 with the command /ppp/ta.php, and punches a hole in the firewall to listen for further commands on UDP ports 7263 and 4400.
Fred believes this is all very common behaviour for the Zeus family of malware which is still very common in todays attacks. Freds advice to anyone who may be targeted is, Keep yourself informed and watch out for some of the common flaws that these malware campaigns employ - such as addressing people by their email addresses as opposed to their actual names. Often, generalities are used in the greeting with no names at all. This is a big red flag, especially when the content is trying to appear so personal. If there are any questions as to the legitimacy of any email, contact the supposed sender directly to authenticate.
Eskenzi PR Ltd
(c) 2014 M2 COMMUNICATIONS
[ InfoTech Spotlight's Homepage ]