Volcanic Eruptions Spewing Malicious Infostealer
In April, when a sequence of volcanic eruptions took place at Eyjafjallajökull in Iceland, Symantec reported a wave of online pharmacy spam in which news related to the volcano was used in spam “Subject” lines. The blog, entitled Iceland Volcano Eruption Triggers Blue Pill Cloud, discusses the first of several rounds of spam related to the volcanic ash cloud.
This recent spate of volcano spam attempts to spread a malicious binary that is detected as Infostealer.Bancos by Symantec antivirus. The mail message claims to have the first videos of an air crash that took place in Portugal because of problems with the volcanic ash. The message alleges that the cloud of ash damaged the aircraft engine, causing it to crash into homes and kill more than 150 people. If the link to the videos is clicked on, a malicious .exe file is downloaded.
The various names of the exe files are as follows:
All downloaded files have a folder icon (as shown in below image) to trick the users to open the file:
Here is an image of one such spam email associated with this campaign:
The infostealer is responsible for stealing confidential financial information, collecting email addresses, and deleting predetermined files from compromised machines. We caution users not to open or click on the links or attachments of emails such as these. Symantec recommends having anti-spam and antivirus solutions installed and up to date to prevent the compromise of personal machines or networks.