Targeted email attacks against public sector companies have been prevalent this week with Bredolab malware being used as the payload.
Tony Millington, malware operations engineer at Symantec Hosted Services, claimed that attacks began on Tuesday 16th February, but what was interesting was the payload rather than the specific attack.
Millington explained that Bredolab is usually spammed out in vast quantities using the Cutwail botnet, and uses many techniques to trick people into running the executable. Once the executable is opened, another file is dropped on to the computer and the local firewall is turned off. Furthermore, other malicious files may also be installed by the controllers of Bredolab, who may also be selling or renting the control of that computer for malicious use by other cyber criminals.
As Bredolab is so flexible, it may conceivably be used to perform any task that its controllers wish. What made this attack so significant, said Millington, were several factors. He said: “Firstly, it is targeted to very specific recipients, and it was not being spammed indiscriminately in large volumes.
“Secondly, the malicious file in the email is indeed a variant of the Bredolab virus; it has exactly the same characteristics, except that the files it subsequently downloads are not the usual Bredolab fare. They are, in fact, data stealers, and very few anti-virus companies identified the downloaded files at the time of writing.”
Millington said that Symantec Hosted Services investigated the characteristics of the emails, and found that the accounts are likely to have been established in advance, perhaps through CAPTCHA-breaking, or they may be compromised legitimate accounts.
He also said that many of the IP addresses used in sending these attacks have also been used for sending a variety of other spam and malware during the past few months, under the control of a variety of different botnets, not just Cutwail.
He said: “It's now clear that most of these IP addresses have been the victim of previous malicious attacks and have themselves become infected and used for criminal activities. The recent sending of Bredolab-laden targeted attacks is just the latest in a long line of abuse for the owners of these PCs.
“The fact that it's coming from all over the world strongly indicates that some form of botnet is being used to connect to the webmail service to send these malicious emails, and at the moment, we're not certain which botnet, but it's highly likely to be linked to Cutwail, as virtually all the other Bredolab attacks we have seen originate from Cutwail.”
He concluded by advising that the subject of the email may give the appearance of being benign and use words such as ‘invitation', ‘conference' and ‘resume', and the filename will often follow the same format. As the attachment is a .zip file, the malicious '.scr' file is contained within it, along with an office document file. The office document is completely safe and contains no malicious code and is just a copy of the contents of the body of the email with a nicely formatted header.