Facebook E-mail Spam Conceals Malware Attack


Facebook has had a fair share of problems, being a large community of course it’s going to be a ripe target for spammers, scammers and malware distributors.

The latest to hit is a spam e-mail claiming to be from the Facebook team that actually spreads a nasty piece of malware called Bredolab. It’s also been observed the trojan will connect to additional servers to install more malware.

The ultimate goal as usual is to make the victims part of a botnet.

Researchers at several security firms have uncovered a spam campaign targeting Facebook users. The e-mails, which pose as communications from Facebook about password resets, contain a nasty downloader that ultimately makes users part of a notorious botnet.

Researchers at several security firms have tied the Bredolab Trojan to a spam campaign targeting Facebook users.

The malware is being blasted out by spammers in e-mails claiming to come from “The Facebook Team.” Inside the e-mails is a message that the recipient’s Facebook password has been changed. In order to get the new one, recipients are told to open the accompanying attachment containing the malware.

Researchers at Websense told eWEEK Oct. 27 that they have observed more than 350,000 of the messages. On the company’s blog, researchers explained that the malware connects to two servers to download additional malicious files. Among them is Pushdo, also known as Cutwail.

This spam campaign seems to be generating some fairly high levels of traffic meaning whoever is behind it is pretty serious and committed to this vector for disseminating malware.

Social engineering isn’t a new method for propagating malware as always the weakest link is never the technological barriers but is always the stupidity/greed/gullibility of humans.

You can ALWAYS hack the wetware.

“One of the first things we saw this Trojan horse download was the Pushdo bot which began spamming out more of these Facebook password reset emails,” according to M86 Security.

MX Logic noted that Bredolab bypasses firewalls by injecting its own code into the legitimate process svchost.exe and explorer.exe. It also contains anti-sandbox code to thwart researchers, and creates the following files: %AppData%\wiaservg.log, %Windir%\temp\wpv861256600826.exe and %Programs%\Startup\isqsys32.exe. Bredolab also creates the processes isqsys32.exe and svchost.exe.

Sophos is detecting the malware as Troj/BredoZp-M or Mal/Bredo-A.

“Don’t make life easy for the hackers hell-bent on infecting your computer, stealing your identity and emptying your bank account – exercise caution when you receive unsolicited emails and protect your computer with up-to-date security software,” Graham Cluley, senior technology consultant at Sophos, advised in a blog post.

It looks like a pretty advanced piece of malware code which evades firewall measures and even tries to thwart analysis by AV companies.

Anti sandbox code and process injection, these bad guys are getting smart.

That does not bode well for the average citizen.

Source: eWeek

Posted in: Malware, Social Engineering, Spammers & Scammers

, , , , , , , , , , , , , ,


Latest Posts:


LambdaGuard - AWS Lambda Serverless Security Scanner LambdaGuard – AWS Lambda Serverless Security Scanner
LambdaGuard is a tool which allows you to visualise and audit the security of your serverless assets, an open-source AWS Lambda Serverless Security Scanner.
exe2powershell - Convert EXE to BAT Files exe2powershell – Convert EXE to BAT Files
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows.
HiddenWall - Create Hidden Kernel Modules HiddenWall – Create Hidden Kernel Modules
HiddenWall is a Linux kernel module generator used to create hidden kernel modules to protect your server from attackers.
Anteater - CI/CD Security Gate Check Framework Anteater – CI/CD Security Gate Check Framework
Anteater is a CI/CD Security Gate Check Framework to prevent the unwanted merging of filenames, binaries, deprecated functions, staging variables and more.
Stardox - Github Stargazers Information Gathering Tool Stardox – Github Stargazers Information Gathering Tool
Stardox is a Python-based GitHub stargazers information gathering tool, it scrapes Github for information and displays them in a list tree view.
ZigDiggity - ZigBee Hacking Toolkit ZigDiggity – ZigBee Hacking Toolkit
ZigDiggity a ZigBee Hacking Toolkit is a Python-based IoT (Internet of Things) penetration testing framework targeting the ZigBee smart home protocol.


Comments are closed.