14 DAY TRIAL // We’ve recently learned that the crisis situation in Syria is currently leveraged by cybercriminals in malware-spreading campaigns. Trusteer researchers have analyzed the spam run.
It all starts with a bogus news email, apparently coming from CNN or the BBC, regarding the crisis in Syria. The title, “The United States Began Bombing,” is designed to attract the recipient's attention.
According to experts, the links from these emails points to a watering hole site, a compromised website that’s set up to host an exploit.
In this case, the exploit targets a Java 7 security manager bypass vulnerability (CVE-2013-0422) that has been patched by Oracle.
If the exploit is successful, a two-stage download process is triggered and three pieces of malware are pushed onto the victim’s computer.
In the first stage of the attack, the Trojan PWS Win32/Fareit, a threat that’s designed to steal user credentials, is downloaded. This malware variant poses as an Adobe Flash updater.
In the second phase, Fareit retrieves a Trojan downloader of the Medfos family. These malicious elements are used to install rogue browser extensions, redirect search engine results, and for click-fraud.
ZeuS, the well-known malware that’s designed to steal banking information from infected devices, is also downloaded by Fareit. The variant used in this case is Zbot Gameover.
“It specifically targets system information, online credentials, and banking details, but can be customized through a toolkit to gather any sort of information. This is done by tailoring configuration files that are compiled into the Trojan installer by the attacker. These can later be updated to target other information, if the attacker so wishes,” Trusteer’s Dana Tamir noted.
Experts warn that the stolen information is in most cases used by the attackers to conduct financial fraud, and even in sophisticated attacks aimed at major organizations.