200-fold increase in HTML-attachment spam

Posted by   Virus Bulletin on   Feb 16, 2012

Cutwail botnet likely behind campaign that sends users to Phoenix exploit kit.

Researchers at M86 have reported a significant increase in the amount of spam sent with malicious HTML attachments, the volume of which on some days was 200 times that on the first day of the year.

HTML, the mark-up language used to create web pages, is commonly used in email to display various fonts and colours and to embed images. All modern email clients are capable of displaying HTML emails, though it is good practice for these to contain a text-part as well. A slight modification to the emails means the HTML-part is seen as an attachment that can be viewed in a web browser, rather than shown within the email client. It is this that is being used in a large spam campaign, of which M86 believes the Cutwail botnet is the perpetrator.

These particular emails - which either have the subject 'End of August statement' or come with a 'Xerox scan' attached - contain an HTML attachment in which, through obfuscated JavaScript, an iframe is embedded. The Phoenix exploit kit is loaded in the iframe, which attempts to infect the user through exploits in various browsers and plug-ins.

The tactic of infecting users via iframes and obfuscated JavaScript is commonly used for drive-by downloads, mostly in compromised legitimate websites. By using an HTML attachment rather than a website, this kind of attack is less likely to be picked up by web filters, while spam filters may not attempt to de-obfuscate the JavaScript, thus making it less likely for URL blacklists to block the emails.

HTML-attachment spam made the news last month when it was said that users could be infected without opening the attachments. While it is not impossible for an email client to open the attachment and render the JavaScript, either through a bug or through bad design, it seems unlikely for this to happen. We have not found evidence of an email client with that property.

More at M86 here. The original story on the emails allegedly infecting users without the need to open an attachment is at eleven here, with comments from Sophos's Naked Security blog here.

Posted on 16 February 2012 by Virus Bulletin

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

Throwback Thursday: Olympic Games

In 1994, along with the Olympic Games came an Olympic virus, from a group of Swedish virus authors calling themselves ‘Immortal Riot’. We look back at Mikko Hyppönen's analysis in the VB archive.

VB2016 call for last-minute papers opened, discounts announced

Announcing the VB2016 call for last-minute papers and a number of discounts on the conference registration rate.

Guest Blog: Malicious Scripts Gaining Prevalence in Brazil

In the run up to VB2016, we invited the conference sponsors to write guest posts for our blog. In the second of this series, ESET's Matías Porolli writes about malicious Visual Basic and JavaScript gaining prevalence in Brazil.

Romanian university website compromised to serve Neutrino exploit kit

The website of the Carol Davila University of Medicine and Pharmacy has been compromised to inject a hidden iframe into the site's source code that serves the Neutrino exploit kit and may infect visitors with ransomware.

It's 2016. Can we stop using MD5 in malware analyses?

While there are no actually risks involved in using MD5s in malware analyses, it reinforces bad habits and we should all start using SHA-256 instead.