Bredolab, back to square one!
Posted on behalf of Bhaskar Krishnappa
Last week Symantec Intelligence blogged about the new tactics applied by Bredolab, especially the start-code obfuscation and hack pack approach.
The past 24 hours of our e-mail scanning engine and monitoring tools have reported a huge run of Bredolab malware. The most interesting part of this blog is our scanners have seen two different samples (Md5sum: f8527fc91329e282c261331303dbaa82 and Md5: ea9ad01c0e8d58c3a5cd8666568201f4), run in different subjects and names to sneak through the mail scanning engines and spam signatures.
We do have interesting stats showing subject v/s the count and attachment names used by attackers to compose the mail pretending to be arriving from well known parcel services and money transfer services.
We have seen more than 300 copies of the sample (Md5sum: f8527fc91329e282c261331303dbaa82) which is basically pretending to be the delivery status notification from a popular International Express Shipper.
Apparently from the above graph the subject line “XX attention” seems to be the major bait by the attackers to grab the victim’s attention.
Now looking at the other sample (Md5: ea9ad01c0e8d58c3a5cd8666568201f4), we have seen more than 200 copies of the e-mail with same attachment. An Interesting fact about this sample is the number of various subjects that were used to compose the mail was high in number compared to the sample mentioned above.
Here are the statistics about the subjects that were used v/s the count seen.
By looking at the graph above, money transfer subjects appear to be favoured by the attackers as these fake subjects may be infecting more machines. Similar to subject lines, executable names that were used were also not new which shows the attacker’s confidence in infecting the machines. This also shows the lack of awareness in e-mail users who are still opening these malicious attachments created using social engineering tactics.
Our customers were comprehensively protected from last night’s attack as we stopped all these samples and again we would like to caution innocent e-mail users not to open these executables as attackers are still confident of infecting more machines using their age old tricks which takes them back to square one.