By Andrew Brandt
If you received one or more email messages over the past week that claim to contain an attached gift certificate for the Apple iTunes store or an unsolicited résumé, you probably received the latest scam involving the Tacticlol downloader.
The iTunes-themed spam messages use the forged return address of email@example.com and read, in part, You have received an iTunes Gift Certificate in the amount of $50.00. You can find your certificate code in the attachment below. The resume messages simply say Please review my CV, Thank you! — using the abbreviation for Curriculum Vitae, the British analogue to the word résumé.
The Trojan’s ongoing campaign attempts to trick victims into opening Zip-compressed attached files, which themselves contain an executable installer. The attachments almost always use the icon of a Microsoft Word document, and we usually see the Trojan launch an instance of Word and modify the default document template (named normal.dot) in the course of the infection.
We followed this Trojan down its particular rabbit hole and discovered logs and other files that indicate that, in just one day of operation, the Trojan had infected more than 9000 computers around the world and had begun to download one of three payloads, one of which was immediately identifiable as the prolific spambot we call Trojan-Pushu (aka Pushdo or Cutwail). The other two payloads were a keylogging password stealer, and a rogue antivirus installer.
The campaign is clearly connected to the most recent spamming of something we saw a few weeks ago, in which the message (in hilariously misspelled English) claims the attachment is a recording contract of some kind, with a forged return address of what appears to be a record company. A similar campaign was waged over the past several weeks, in which the recipient was told that the document contains a new password for their Facebook account. However, the end result of opening the alleged iTunes Gift Certificate is no different than opening the Facebook document, the “Conract,” or the shipping label or invoice documents: Instant infection, with the promise of more infections to come.
Trojan-Downloader-Tacticlol (which also goes by the name Oficla or Sasfis in competing products) has been employed in connection with a number of spam campaigns where the message supposedly informs the recipient that a shipping service, such as DHL, UPS, FedEx, or the US Postal Service, is in possession of a package addressed but undeliverable to the recipient.
The messages inform the victim that the attached Zip file contains a shipping invoice, which the victim is asked to print out and bring to the nearest office of whichever shipping company the scammers are posing as this week. Those Trojans have names such as “UPS_invoice_###.exe” or “DHL_label_nr###.exe” (where the # sign may be any number). The new variants are named “Resume_document_###.exe” or “iTunes_certificate_###.exe” — and like the earlier versions, the attachments are small, no more than about 80KB in size.
In the course of researching these Trojans, the command-and-control server that sends instructions to the Tacticlol sample we installed directed the Trojan to download a payload hosted deep in the directory structure of a legitimate Web site running WordPress.
As the investigation continued, I encountered something familiar that had been installed on the compromised Web server– a remote control app called the c99 Shell . Once installed, the c99 Shell lets the criminal send commands as though they’re sitting in front of the server. But this was a new version of c99, which refers to itself as the c99 madShell v. 3.0 Blog edition. Name notwithstanding, the PHP-based backdoor appears to have been customized specifically to be installed on compromised Apache Web servers with WordPress installed.
Among the features in this version of c99 Shell is that it maintains a log of the computers that have downloaded the malicious payloads hosted on the infected server. The log lists the IP address of the infected computer, the time and date the computer connected to the compromised Web server, the file that the infected computer downloaded, and information about the type and version number of the browser installed on that infected computer.
What came as a complete surprise is that, out of 18,576 log entries, 17,540 entries (more than 94%) include a reference to the Opera browser, specifically Opera 9.64. But this isn’t an indication that Opera was installed on the infected PCs. It appears that the Trojan reports Opera 9.64 as its User Agent when it contacts the Web server hosting the malicious payloads. As each infected computer makes two connections to the hacked server, we can assume that this particular Trojan infected 8770 PCs by the time we reported the attack to the site’s owner, and they removed the malware from their server.
Web server admins who notice a huge spike in the number of entries such as this in their own log files may need to look closely at their server, and where those clients are connecting.
These new messages show that the malware distributors who are spamming the attachments are trying out a wider range of scam hooks in an attempt to convince potential victims to open the attachments. In addition to blocking the command and control servers, we’ve added new detections to account for these samples, but the best advice is to steer clear of the problem. Just delete messages like these.