Different spam runs for same malware

We have now seen at least two spam runs which try to convince the recipient to install Trojan-Spy.Win32.Goldun.a.
This Trojan tries to steal bank related info.

What’s interesting is that the two spam runs used different techniques.

The first run had the following message body:

Clients Database.
Clients.rar attached. In clients.rar: clients.csv – database in Microsoft Excel.
X.chm – help file with another information about our clients.
Password on archive: 123.
Best regards, Alex.

As you can see a passwordprotected rar archive was used. The mentioned .chm archive contained an exploit to run Trojan-Spy.Win32.Goldun.a, which also resided in the .chm file.

The second message is a ‘true’ fraud mail.
It pretends to be from E-Gold, which is a banking site, and has a .zip archive attached to it. This .zip archive contains “setup.exe”, which is Trojan-Spy.Win32.Goldun.a.

So we see two different (social) engineering techniques used in two different spam runs for the same malware.
I expect that we will see a growing number of similar cases in the future, as blackhats relentlessly keep trying to make money out of the web.

Different spam runs for same malware

Your email address will not be published. Required fields are marked *



APT trends report Q1 2024

The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox