Spammers Cash In On Taiwanese Bank’s Credit Card Promotion

We’ve observed spam disguised as a legitimate Taiwanese commercial bank sending out credit card promotion email messages that are embedded with an .swf virus link. In this particular attack, recipients are able to see the bank’s image at the top of the email message and promotion notes at the bottom. There is also a large blank space within the promotion message that is designed to make you believe that the credit card promotion content has been lost in transit. Recipients are then instructed to click on the link in case of page display error issues.

This attack is found to be a dictionary/domain attack. Symantec detects the “blog.html” link in the spam email as Trojan.Malscript!html. The blog.html link contains shellcode in the form of a file named sploit.swf, which exploits Adobe AVM2 Scope Stack Corruption Vulnerability (BID: 35779). Once a successful exploit attempt is made, shellcode is dropped in blog.html. We detect sploit.swf as Bloodhound.Exploit.266.

Sample message:

From: [Details Removed] <xxxxxxxxxxxxxxxxxxx@xxxxxxxxxxxx.xxxxxx.xxx>
Subject: [Details Removed] 信用卡─現抵1,000元！

Translation:

Subject: [Details Removed]  Credit card - NT$1000 Cash Value Trade In!

Body Translation:

Unable to view images? Click here.

Note:
1.    [Details Removed] Credit card members can get NT$1000 Cash Value Trade In.
2.    Non [Details Removed] telecom customers or new sign up for [Details Removed] telecom 3G plan, please go [Details Removed] branches www..xxxxxxx.xxx/iphone for more details.
3.    Please inform the customer representative if installment payment is a desired service. [DetailsRemoved]