Gary Warner, a researcher at Malcovery, explained that as it passes through firewalls, web filters, network intrusion detection systems and any other defenses that companies may have in place, it is doing so as a non-executable “.enc” file.
“If you are in charge of network security for your enterprise, you may want to check your logs to see how many .ENC files have been downloaded recently,” he said in a blog, noting that Malcovery has seen this behavior “consistently” since late January. He said that it was alarming enough that he decided to share the information more broadly, sending copies of the malware to dozens of security researchers and to law enforcement.
Cutwail is a spamming botnet that since early fall 2013 has been primarily distributing malware via social engineering. Until now, spam messages generally have .zip files contain a small .exe file whose primary job is to go out to the Internet and download larger more sophisticated malware.
That malware “would never pass through spam filters without causing alarm, but because of the way our perimeter security works, are often allowed to be downloaded by a logged in user from their workstation,” said Warner. “As our industry became better at detecting these downloads, the criminals have had a slightly more difficult time infecting people.” So, they have crafted a new delivery model.
The .zip file attached to the emails now has a new version of the malware that first downloads the .enc file from the internet and then decrypts the file, placing it in a new location with a new filename, and then causing it both to execute and to be scheduled to execute in the future.
The ruse is working. Warner pointed out that with the change last week, the new detection rate for the Zeus downloads has consistently been zero of 50 at VirusTotal. “Why? Well, because technically, it isn't malware,” Warner explained. “It doesn't actually execute! All Windows .exe files start with the bytes "MZ." These files start with "ZZP." They aren't executable, so how could they be malware? Except they are.”
And indeed, several spam campaigns are making the rounds, all related to each other and all being distributed by the criminals behind the Cutwail malware delivery infrastructure. These are masquerading as a number of brands and organizations, including the payment processor ADP, the Better Business Bureau, GoDaddy and the British tax authority HMRC.
“It is likely that many different criminals are paying to use this infrastructure,” noted Warner.