Different spam runs for same malware

We have now seen at least two spam runs which try to convince the recipient to install Trojan-Spy.Win32.Goldun.a.
This Trojan tries to steal bank related info.

What’s interesting is that the two spam runs used different techniques.

The first run had the following message body:

Clients Database.
Clients.rar attached. In clients.rar: clients.csv – database in Microsoft Excel.
X.chm – help file with another information about our clients.
Password on archive: 123.
Best regards, Alex.

As you can see a passwordprotected rar archive was used. The mentioned .chm archive contained an exploit to run Trojan-Spy.Win32.Goldun.a, which also resided in the .chm file.

The second message is a ‘true’ fraud mail.
It pretends to be from E-Gold, which is a banking site, and has a .zip archive attached to it. This .zip archive contains “setup.exe”, which is Trojan-Spy.Win32.Goldun.a.

So we see two different (social) engineering techniques used in two different spam runs for the same malware.
I expect that we will see a growing number of similar cases in the future, as blackhats relentlessly keep trying to make money out of the web.

Different spam runs for same malware

Your email address will not be published. Required fields are marked *



How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox