Websense Security Labs ThreatSeeker Network has discovered that malware authors are sending emails that promise a video showing an interview with the advisors to the recently elected US President.
The company claim that the email actually contains links to a file called 'BarackObama.exe' hosted on a compromised travel site at hxxp://*snip*.com/web/BarackObama.exe. This file is a Trojan Downloader with MD5 9720d70a5da9ca442ecf41e9269f5a27.
Upon execution files named system.exe and firewall.exe are dropped into the system directory. A phishing kit is unpacked locally, and the dropped files are bound to startup. The hosts file is also modified.
The Trojan downloaders are not being detected by major anti-virus vendors according to Websense, though its own Websense Messaging and Websense Web Security customers are protected against these threats.
Carl Leonard, “This is an email lure, we saw two alerts sent out yesterday so the spammers have reacted to the news of the US elections. The first one was a localised attack that was aiming to dupe people from the Latin America region which was passed off as an interview with Obama's advisors.
"The second attack was a from a phishing attempt to get banking information which claimed that you had to update to the latest Adobe flash player. When this is downloaded is opens a ‘phishing kit' that sets your machine up to work as a phishing website.
"It also scans your firewalls and sends compromised data out so you are acting as a scam website, when you access a banking website it sends your information back to the command centre. This is all hidden by the Rootkit which disguises the malware on your computer.
"This is very current, timely and topical as we saw tens of thousands of emails sent yesterday, and a few thousand sent today, so this is a very short attack that is capitalising on timing and it proves that malware authors do know their audience. We do expect further attacks around the US election theme, possibly when Obama is sworn in on January 20th"
See original article on scmagazineus.com