“I’m in trouble!” email malware distribution attempt


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Fwd: I’m in trouble!”.

The email is send from various spoofed addresses and has the following body:

I was at a party, got drunk, couldn’t drive the car, somebody gave me a lift on my car, and crossed on the red light!
I’ve just got the pictures, maybe you know him???
Here is the photo

I need to find him urgently!

Thank you
Asmita

Fingerprint: c72d5b3c-af1af1a5

At the end of the message there is a fingerprint code but don’t be filled by that. This is not a real proof that this message is secure and safe to use.

The URL behind ‘Here is the photo’ will lead to a site where a redirect is a place to the malware payload. The URL can be identified quite easily because they are fairly long, will point to servers where blogs are hosted and quite often have what appears random characters and variables inside.

An example:

hxxp://newflight.info/wp-content/themes/twentyten/wvfou.htm?
GAJLZP=Y73TY9V&SS4C24F=1H9F0COJCVB2P8FAVJL&Z208W=116AEU0Z&XC8C
=3I1MPP6A2K42K&BO77Z=67QUD1YRE9QF11FV&04T9Z=4942YY7N&KMLD=HUKYAXRX7AUD5R4UK&"

These pages will continue with a redirect, embedded in an iframe HTML tag, to for example hxxp://cgredret.ru/main.php.

MX Lab recommend not to follow any of the embedded URLs.