Russia/Georgia Conflict News Used to Hide Malicious Code in Spam
In the past few days Symantec has observed virus spam masquerading as news articles regarding the current Georgia-Russia conflict. We felt it was important to blog about this because this particular event is garnering a lot of media attention and holds a very high profile. Because of this, there is an extremely high potential for the spreading of malicious code by spam email using information on this event as a lure.
The messages themselves contain an attachment, along with instructions and passwords for the download of the attachment. The subject line appears to be a legitimate news story about the Russia/Georgia conflict. One subject line that has been seen reads: “Subject: Journalists Shot in Georgia.” A short description of a “news event” related to the Russia-Georgia conflict is contained within the body of the message.
The use of the attention-grabbing subject line seems to be intended as a social engineering tactic to entice recipients to click the link and view videos. The attachment contains no videos; rather, the attachment redirects to a link that delivers a payload identified as Trojan.Popwin. Symantec has had coverage for this malware in place for some time now.
The use of social engineering to grab the attention of recipients and deliver malware is not a new technique. Symantec has observed this spamming tactic over the past several months. The past month in particular has seen many spammers being exceptionally active in the use of fake news headlines to spread malicious code.
We have observed several million instances of this particular spam attack delivering malicious code. End users can protect themselves by making sure their virus definitions are current and by thoroughly checking out any links and attachments before clicking/following them.