Trend Micro researchers are warning about a clever and very well executed email spam campaign that has been targeting and continues to target French users with the goal of infecting their machine with backdoor malware, banking malware, and ransomware.
The spammers target both home and corporate users with emails impersonating the French Ministry of Justice.
The content of the subject line alternates between “Copy du jugement”( “Copy of judgment”), “L’information sur la comptabilitÃ©” (“The information on accounting”), “Paiement” (“Payment”), and “Urgent,” but the text of the email is the same, and says (in French) that a court has decided that the recipient’s property should be seized.
The recipients are urged to download and open the attached Word file which supposedly contains a copy of the judgement. Once opened, the document downloads and opens an image from the file hosting site savepic.su: a reproduction of a hard-copy letter that the French Ministry of Justice typically sens to individuals stating that they cannot assist with cases that are already before courts.
“This letter could have been obtained from a compromised system or email inbox, or by an accomplice working on behalf of the attackers,” the researchers noted, and added that the text of the email contains no mistakes.
“This suggests that a French speaker, or someone well-versed in French was responsible for writing the text. Combined with the authentic decoy image, it’s not difficult to see how a French user would not instantly realize he had been a victim of spam,” they pointed out.
In the background, the dropper also runs an embedded macro which downloads and runs the appropriate variant of the GootKit backdoor. In other instances, the dropper has also been spotted delivering the Cryptowall ransomware and banking Trojans.
The good news is that this scheme works only if the recipient has macros enabled, but the researchers expect this aspect of the attack to change in the future so that a wider audience could be successfully targeted.
It’s interesting to note that the attackers have used a malware delivery method first described in a paper presented last year.
“The paper described how developers could create an .SDB file that modifies or changes its behavior during its execution. We have seen how this particular method sideloads .DLLs, but this is the first time it has been used to patch a loader,” the researchers explained.
“This patch is about 6 kilobytes in size, and patches memory at 5 different memory locations within kernel32.dll in order to run its patched code on the fly. This technique is used not only to patch explorer.exe, but other processes as well. The patch code will detect the operating system version in order to get the appropriate version of GootKit (as both 32- and 64-bit versions are available.)”
Apart from being a backdoor, Gootkit is also able to monitor network traffic. Even encrypted traffic is not safe, as the malware adds a fake root certificate authority to the system, which enables it to perform MitM attacks.
The spam campaign is still ongoing, and similar campaigns have been started to target users in other countries such as Italy.”
With “Vi invieremо il doсumentо рer confermаrе il раgamеntо” (We’ll send you the document to confirm the payment”), “Case number 647”, ot “Information” in the subject line, the emails deliver a Word file (documente copy.doc) that carries the same dropper and uses another decoy image uploaded to savepic.su.