Rise in ZIP File Attachments in Spam Emails Lead to Bredolab Malware
Posted on behalf of Mat Nisbet, Malware Analyst, Symantec.cloud
On the 16th of March Rustock, the largest of the spamming botnets, was taken down. As you would expect, global spam levels started to drop, as can be seen when you look at the number of mails being delivered to one of our spamtraps.
However, on the 26th March we saw a large increase in the amount of data traffic hitting our spamtraps, despite the number of actual emails continuing to decline.
Investigation revealed that the reason for this was that the Cutwail botnet had started sending much more emails with zip file attachments than normal, meaning the average size of each mail was much higher than normal. The chart below shows that there have been a couple of spikes in early March, which may have been short test runs, but from the 26th March onwards there has been a sustained increase in spam traffic with a zip attachment.
These mails are all variations on the same familiar subject, a package could not be delivered and you need to open the attachment to print out and take to their depot in order to collect it.
This is a screenshot of a typical example:
Notice that the grammar is lacking in several places. Also the parcel number is used in three separate locations (the subject line, 2nd line of the mail, and the filename of the attachment) and is different in each location.
Inside the zip file attachment is an executable file, which if run, will infect the users' machine. The malicious files are all variants of the Bredolab malware. Once on the system, the Bredolab family of malware allows the attacker to take control of the machine and download other things to it. Most likely the infected machine would become part of a botnet, being used to spread the infection to others.
If you receive an email informing you that you have an undelivered package, be wary. There should be a phone number for you to contact the depot yourself, and opening hours of the depot. Also, if it asks you to print an attachment, do not do so. In reality, all that is needed is the ID number of a parcel, as you will be asked for identification when you go to collect it.