Digitally signed spam campaign spotted delivering malware

We’ve all heard about digitally signed malware, but have you ever been targeted with a digitally signed spam email?

Someone did, and has shared the signature notice with the public:

The signature is legitimate, and is bound to trick some users into opening the attached signed message. Unfortunately for those who do, the attachement contains a JavaScript posing as a PDF file, and running it will trigger the download and execution of a piece of malware.

Malware researchers Bart Blaze thinks it’s likely that it’s a Andromeda/Gamarue backdoor variant. But whatever the nature of the malware turns out to be, you can bet it’s not harmless.

The victim is ignorant of all of this happening, and is faced with a decoy PDF file that’s supposed to reassure him or her that nothing out of the ordinary happened.

“How was that mail sent out? There’s no sure way of telling – it’s possible the company is compromised (by either malware or an attacker), there’s no SPF record, the certificate has been stolen (unlikely but not impossible), …. Most likely, a machine is infected by a spambot,” says Blaze.

“Note that with PEC (Posta elettronica certificata), a user can send a signed message even when the mailserver is not compromised. PEC means the server signs a message to ensure timestamp and sender, not content.”

The content of the email point to the target being a company employee, most likely someone in the accounting department. My bet is on this particular spam campaign having been set up to ultimately allow the attackers access to company funds.

More about

Don't miss