14 DAY TRIAL // A new wave of malicious emails distributing a variant of the Oficla trojan is ZIP attachments, masquerade as password change notification from Facebook.
The rogue emails bear a subject of "Your facebook password has been changed" and come with a spoofed "From" field to appear as if they originate from an [email protected] address.
The contained message reads:
"Dear user of facebook,
Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in the attached document.
Thanks, Your Facebook."
According to spam researchers from Belgian email security vendor MX Lab the attached file is called Facebook_document.zip and contains an executable of the same name.
To ensure that it starts every time the computer is rebooted, the trojan adds itself to the "Shell" value under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
Oficla is usually affiliated with pay-per-install (PPI) operations, where other cybercriminals pay the trojan's authors money to distribute their own malware or scareware.
Therefore, it's very likely that victims who fall for this social engineering trick and execute the malicious file will eventually end up with multiple infections on their computer.
Also, chances run very high that they will be bombarded with bogus security alerts instructing them to buy a license for an otherwise useless program.
Fortunately, as of today, the signature-based antivirus detection rate for this particular Oficla variant is pretty high, with 34 out of 43 antivirus engines on VirusTotal picking it up as malicious.
As always, users are strongly advised to keep their security software up to date and treat emails attachments with extra caution, even when they appear to originate from trusted sources.
According to a recent report from Symantec, the output of spam emails containing malicious ZIP attachments has increased four-fold during last month. ZBot and Oficla distribution campaigns were primarily responsible for the spike.