Spoofed Adobe email addresses are used to make the campaign more realistic

Nov 3, 2011 09:30 GMT  ·  By

An email that promises a license key for Adobe's InDesign CS4 turns out to be a malicious campaign that distributes a new Trojan, which at the time of writing was detected only by 7 out of the 43 AV engines listed in Virus Total.

MX Labs intercepted a lot of emails that come with the subject “Your InDesign CS4 License key.” The messages seem to be coming from a spoofed email address that could fool anyone into believing it really came from Adobe.

The example addresses discovered so far are [email protected], [email protected] or [email protected].

The message reads:

Your Adobe CS4 License key is in attached document below. We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars. Thank you for buying Adobe InDesign CS4 software. Adobe Systems Incorporated

The ZIP file attached is called License_key_N7853.zip and once its content is extracted, the user is faced with a Licese_key executable which reveals itself to be the a piece of malware identified by Sophos as being Troj/Bredo-LK.

Once it lands on a device, it copies itself to the Startup folder of the operating system, replicating a DirectX component. To make sure it cannot be easily detected, it creates a process called svchost which makes sure every time the computer starts, it can fulfill its malevolent mission.

Each time it's executed, Bredo sends HTTP requests to a recently registered Russian domain.

At the time it was found by the researchers, the trojan was only being detected by a handful of security solutions providers. F-Prot detected it as W32/Yakes.F.gen!Eldorado and Symantec as Downloader.Chepvil.

As it may come in other forms, besides the example shown above, users are advised to keep their anti-virus programs up to date and make sure not to open any suspicious looking attachments, even if they seem to be coming from a legitimate vendor.