Different spam runs for same malware

We have now seen at least two spam runs which try to convince the recipient to install Trojan-Spy.Win32.Goldun.a.
This Trojan tries to steal bank related info.

What’s interesting is that the two spam runs used different techniques.

The first run had the following message body:

Clients Database.
Clients.rar attached. In clients.rar: clients.csv – database in Microsoft Excel.
X.chm – help file with another information about our clients.
Password on archive: 123.
Best regards, Alex.

As you can see a passwordprotected rar archive was used. The mentioned .chm archive contained an exploit to run Trojan-Spy.Win32.Goldun.a, which also resided in the .chm file.

The second message is a ‘true’ fraud mail.
It pretends to be from E-Gold, which is a banking site, and has a .zip archive attached to it. This .zip archive contains “setup.exe”, which is Trojan-Spy.Win32.Goldun.a.

So we see two different (social) engineering techniques used in two different spam runs for the same malware.
I expect that we will see a growing number of similar cases in the future, as blackhats relentlessly keep trying to make money out of the web.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *