An ongoing malicious spam campaign impersonating UPS has shown that malware peddlers are experimenting with different approaches for infecting hapless users, and additional recent spam campaigns have proved that one of them is particularly effective: embedding malware into RTF or DOC files.
The first campaign, analyzed by malware researcher Bart Blaze, starts with a fake UPS delivery notification that carries both a DOC file (supposedly the invoice) and a link to the invoice. The sender’s email address is spoofed to make it seem like the message is coming from a legitimate UPS email address.
The attached file and the one downloaded by following the link are the same: a bogus DOC file that is actually a RTF file containing an exploit. By using OfficeMalScanner’s RTFScan tool, Blaze discovered that the file carries a vulnerable OLE document, which exploits an MS Office vulnerability to install malware on the victim’s computer. Another sample he received did the same but exploited another Office flaw.
He didn’t manage to discover what malware is dropped, but he speculates it’s likely a Bitcoin mining Trojan or the Zeus information-stealing one.
In a very similar campaign spotted by Kaspersky Lab researchers, the same approach is used: a supposedly legitimate email carrying a “receipt” in form of a RTF file carries within itself a CPL file that is actually a banking Trojan written in Delphi:
“Embedding malicious files into RTF or DOC files allows cybercriminals to bypass e-mail filtering by extensions or type; also it allows them to break the AV detection by signatures,” the researchers explain, adding that they are sure to see this sam technique being massively exploited in the future.
What can one do to protect oneself from this? The usual: keep your Windows and Office updated (the exploits used are usually old and already patched) and use security software. More technically savvy users can also improve the security for Office files by disabling ActiveX, macros and blocking external content, and network administrators can block IPs tied to malicious campaigns.
“Though spammers and malware authors have tried the technique of attaching a malicious file or posting a link in the mail, I haven’t seen them do that both very much,” comments Blaze. “Using these exploits, it’s clear they are proof-testing their possibilities. How many have fallen or will fall for this campaign? How much of these mails were sent out anyway? There’s no sure way of knowing.”