14 DAY TRIAL // A Panda Security researcher came across a malicious email that purports to come from CULT, the popular online clothing store, alerting the recipient about a purchase being made with his (or her) credit card.
Bearing the subject “CULT Order Confirmation (CULTXXXX)” the email comes from a spoofed email address that makes it looks perfectly legitimate at first glance. However, a closer investigation reveals that it’s actually designed to spread an account-stealing Trojan.
Right above the form, that is clearly designed to shock the recipient by making him believe that around 175 GBP (210 EUR or $270) were taken from his credit card, there’s a link that allegedly points to some details regarding the order.
Users who rush to click on the link are served an executable file that has an Adobe Acrobat icon, presumably to mask its real purposes.
Once executed, the file unleashes a Trojan with bot capabilities that creates a registry entry to ensure it’s run each time the computer is started.
The bad news is that this malicious element is designed to steal every bit of sensitive data it encounters, including Bank of America, Steam, Facebook, Gmail and any other credentials. All the usernames and passwords it collects are then sent back to the cybercriminals, giving them the opportunity to easily steal the victim’s assets.
A curious thing about this Trojan is that it removes other bots that may prevent it from performing its tasks. This reminds us of Citadel, the piece of malware that’s developed in a very friendly environment.
We learned that some customers were advising the creators of the malware to incorporate a mini-antivirus that would ensure the competition is removed before it steps into play. Since a few days have passed since we’ve learned of this, someone may already be testing the new features of Citadel.