Bredolab Trojan spam campaign
SonicWALL UTM Research team observed a wave of Resume spam campaign involving newer variant of Bredolab Trojan starting earlier this week. The spam emails arrive with a zip archived attachment which contains the Bredolab Trojan executable. The e-mail pretends to be arriving from a prospective job applicant and it looks like:
Attachment: resume_41170.zip (contains Myresume.exe)
Subject: Please look my CV, Thank you
I have figured out that you have an available job.
I am quiet intrested in it. So I send you my resume,
Looking forward to your reply.
A sample email message looks like:
The executable files inside the attachment has an icon disguised as a Microsoft Word document file:
If the user opens the malicious attachment then it performs following activities on the victims machine:
- It creates the following file
- C:WINDOWSSystem32svrwsc.exe - Detected as GAV: Bredolab.ZX (Trojan)
- (Application Data)MicrosoftOFFICETEMPdoc~1.dat
- (Application Data)MicrosoftOFFICETEMPdoc~2.dat
- HKLMSYSTEMCurrentControlSetServicesSvrWscType: 0x00000010
- HKLMSYSTEMCurrentControlSetServicesSvrWscStart: 0x00000002
- HKLMSYSTEMCurrentControlSetServicesSvrWscErrorControl: 0x00000000
- HKLMSYSTEMCurrentControlSetServicesSvrWscImagePath: "C:WINDOWSSystem32svrwsc.exe"
- HKLMSYSTEMCurrentControlSetServicesSvrWscDisplayName: "Windows Security Center Service"
- HKLMSYSTEMCurrentControlSetServicesSvrWscObjectName: "LocalSystem"
- HKLMSYSTEMCurrentControlSetServicesSvrWscDescription: "The service provides COM APIs for independent software vendors to register and record the state of their products to the Security Center service."
SonicWALL Gateway AntiVirus provides protection against this Bredolab Trojan variant with GAV: Bredolab.ZX (Trojan) signature.