ACH Transfer spams serve Banking Trojan
The Dell Sonicwall UTM research team has been observing a recent increase in drive-by-download infections. These infections utilize the Blackhole Exploit and usually arrive in the form of spam masquerading as a legitimate company notification containing a malicious link.
The spam observed uses the following text and contains a malicious link:
The link takes the user to a malicious webpage that pretends to load a doc file containing further information:
The exploit causes the download of a Cridex Banking Trojan variant:
The Trojan creates the following files on the filesystem:
- %APPDATA%KB00097753.exe [Detected as GAV: Banker.M_10 (Trojan)]
The Trojan creates the following registry key in the Windows registry to enable startup after reboot:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun KB00097753.exe "%APPDATA%KB00097753.exe"
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: Banker.M_10 (Trojan)
- GAV: Blacole.JI_2 (Exploit)