Spam Purgatory

Recent spam activity has revealed that spammers are now distributing e-mails with malicious HTML attachments which lead to the download of additional malware.

The said spam e-mails have subject headings that cover topics such as Adult Friend Finder, Skype payment problems, Facebook password resets and the most recent one being Delivery Status Notification (Failure). Once a user clicks on the HTML attachment provided in one these spam e-mails, he/she will be directed to the notorious Canadian Pharmacy website.

On being directed to the pharmacy website, most users would just assume that they fell for yet another spam e-mail promoting the useless website; however there is more to it than that. Research done by SophosLabs uncovered a twist to this attack where a victim is directed to another website, without his/her knowledge, thanks to an HTML iframe tag.

The malignant iframe will take a victim to a remote page where additional malware will be downloaded from. In one instance both Notes10.pdf (detected as Troj/PDFJs-JS) and Applet10.html (detected as Troj/ExpJS-W) where downloaded, and such malware is specifically designed to exploit vulnerabilities in both Acrobat and Java software.

SophosLabs also analyzed the malicious JavaScript within the HTML attachments and discovered how it managed to avoid decryption by calling the decryption routine via setTimeOut. In conclusion SophosLabs noted that “These attacks are just another example of the growing number of tricks being used within malicious JavaScript to evade generic detection and hinder automated analysis techniques.”

Popularity: 2%