ACH Transfer spams serve Banking Trojan

July 6, 2012

The Dell Sonicwall UTM research team has been observing a recent increase in drive-by-download infections. These infections utilize the Blackhole Exploit and usually arrive in the form of spam masquerading as a legitimate company notification containing a malicious link.

The spam observed uses the following text and contains a malicious link:

The link takes the user to a malicious webpage that pretends to load a doc file containing further information:

The webpage contains javascript code the employs the Blackhole Exploit [Detected as Blacole.JI_2 (Exploit)]:

The exploit causes the download of a Cridex Banking Trojan variant:

The Trojan creates the following files on the filesystem:

%APPDATA%KB00097753.exe [Detected as GAV: Banker.M_10 (Trojan)]
%APPDATA%AB45AF71AB45AF71.DAT
%APPDATA%AB45AF71AB45AF71.DAT.DAT

The Trojan creates the following registry key in the Windows registry to enable startup after reboot:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun KB00097753.exe "%APPDATA%KB00097753.exe"

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

GAV: Banker.M_10 (Trojan)
GAV: Blacole.JI_2 (Exploit)