Ebola Spam Spreads A Different Kind of Infection

As a new Ebola patient in New York City goes into isolation at the hospital, and a Dallas nurse is released after having beaten the virus, the fixation of the public on the hemorrhagic illness is at an all-time high. And as surely as night follows day, scammers have seized on the moment with an Ebola-themed email purporting to be from the World Health Organization and other “official” sources.

Just last week the United States Computer Readiness Team (US-CERT) published an advisory warning users of scams and spam campaigns using the Ebola virus as a social engineering theme. Trustwave has now spotted a few malicious spam samples that are doing just that.

In one case, a mail that looks like it’s from WHO exhorts readers to “download the World Health Organization file for more information on how to stay safe from Ebola and other preventable diseases. We care.”

It adds, “There is an outbreak of Ebola and other diseases around that you know nothing about. The information and prevention listed in the attached file will help you and those around you stay safe.”

The compressed file attachment that comes with the mail is not a document file as claimed, but rather an executable file containing the DarkComet remote access trojan (RAT). DarkComet was found over the summer to have incorporated AutoIT—a variant that runs a backdoor on the victim machine and specializes in keylogging, webcam capture, sound capture, file uploads, the ability to steal passwords and torrent files and execute remote scripting.

It also modifies the local software firewall policies to disable them, in addition to installing itself at startup for persistency.

“This trojan makes use of its heavily obfuscated AutoIt-based script to run undetected by antivirus software,” Trustwave explained in a blog.

Another Ebola-related spam campaign claims to be from the Mexican government’s advisory of the Ebola situation in Mexico. When opening the attached document file, the text instructions and screenshots entice the user to enable the Macro feature in the Microsoft Word application to load the content—which is of course actually malware.

Other Ebola-anchored messages are more of a nuisance than malicious, and represent a spike of unsolicited emails that contain  links pointing to ads, gaming forums or pharmaceutical websites.

Subject line examples include “Ebola Survival Guide: What you need to know about the deadly Ebola outbreak,” and “So Really, How Do You Get Ebola?” The spammers are not above using shock factor; one campaign’s lure is “Ebola Outbreak - FEMA Storing 250,000 Plastic Coffins.”

So far, the criminals seem less than advanced in their approaches.

“We've only seen one sample from this campaign so far. At this time we don't have reason to believe it is a widespread campaign,” Trustwave said. “The address it was sent to was an old honeypot address, so it’s not exactly targeted either. These facts taken together suggest a low volume campaign (sent to whatever address list the spammer is using) in an attempt to infect random users in the hope of gaining some data that can be used or sold.”

Nonetheless, consumers should be vigilant. “Unsurprisingly, cybercriminals continue to piggyback on newsworthy and major events, disasters and outbreaks to lure potential victims and spread their malware,” Trustwave noted, adding that best practices are tried and true, including “never clicking unsolicited web links or attachments in email messages, particularly those with an Ebola theme.”

What’s Hot on Infosecurity Magazine?