Independent security researcher Graham Cluley noted that the emails use forged headers so that they look like they’re official correspondence from one’s mail provider or ISP. “In other words, if you have an email of fred@example.com, the email will purport to have been sent from Administrator@example.com,” Cluley explained.
The typical email sent in the malware campaign carries a subject line of “IMPORTANT – Internal Use only.” In the body, it purports to be an “Important Company Update,” exhorting users to “please read carefully the attached document.”
To make it seem more official, it even tacks on a confidentiality notice with all of the standard lingo found in such things:
The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed. If you are not the intended recipient of this message, please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message and any attached documentation. Thank you.
And the reach appears to be extensive: Jonathan French, a researcher at AppRiver, said in a blog post that his company had blocked over 70,000 messages infected with the malware.
“From time to time people claim that the days of malware being spammed out en-masse are over, but clearly that’s not the case,” Cluley said. “It may be that more and more attacks work hard to not draw attention to themselves, but there are still cybercriminals out there who are more than happy to blast out their malicious code in the hope that at least a small percentage of people will click on the attachment and infect their computers.”
Despite the sheer volume, so far it seems like a run-of-the-mill campaign. But rather than the malicious file being a plain executable, or a malevolent Word or PDF document, the Trojan-downloading malware is attached as a .gadget file.
“If you haven’t heard of gadgets before, they’re the mini-programs that can run in the Windows sidebar,” Cluley explained. “Often they might provide you with a number of functions, such as a desktop clock, an RSS feed or the latest weather report.”
French said that the downloader goes on to pull malware onto the machine from the internet.
“Most likely this means the gadget file is a downloader for some malware that is using encryption to try and bypass filters,” he said. “One of the more popular pieces of malware that uses this is the GameOver Zeus malware. There was another exe file it reached out for but the request was returned as Forbidden by the remote server.”
As always, mail users should be wary of clicking on attachments unless they are expecting them.