We have now seen at least two spam runs which try to convince the recipient to install Trojan-Spy.Win32.Goldun.a.
This Trojan tries to steal bank related info.
What’s interesting is that the two spam runs used different techniques.
The first run had the following message body:
Clients.rar attached. In clients.rar: clients.csv – database in Microsoft Excel.
X.chm – help file with another information about our clients.
Password on archive: 123.
Best regards, Alex.
As you can see a passwordprotected rar archive was used. The mentioned .chm archive contained an exploit to run Trojan-Spy.Win32.Goldun.a, which also resided in the .chm file.
The second message is a ‘true’ fraud mail.
It pretends to be from E-Gold, which is a banking site, and has a .zip archive attached to it. This .zip archive contains “setup.exe”, which is Trojan-Spy.Win32.Goldun.a.
So we see two different (social) engineering techniques used in two different spam runs for the same malware.
I expect that we will see a growing number of similar cases in the future, as blackhats relentlessly keep trying to make money out of the web.