An email spam campaign pushing fake greeting cards sent by the White House, tricked employees in government-related organizations to infect themselves with a trojan that stole sensitive documents.The rogue emails were sent out on December 23, had a subject of "Merry Christmas!" and purported to come from a firstname.lastname@example.org address.
The contained body message read: "As you and your families gather to celebrate the holidays, we wanted to take a moment to send you our greetings.
"Be sure that we're profoundly grateful for your dedication to duty and wish you inspiration and success in fulfillment of our core mission."
This was followed by two links to the alleged greeting card, which lead to pages hosted on compromised legit websites.
Users who click on any of the links are prompted to download a file called card.zip and see an animated GIF image of a Christmas tree.
Card.zip contains a similarly named executable, which is a version of the infamous ZeuS banking trojan, known for stealing financial details from infected computers.
An interesting aspect of this threat is that the payload involves a second component, a Perl script converted to EXE format with a tool called Perl2exe.
This component searches the computer for all PDF, DOC and XLS files and uploads them to a remote server controlled by the attackers.
According to Brian Krebs, an analysis of the documents stolen by the trojan revealed that the victims included: an employee at the National Science Foundation’s Office of Cyber Infrastructure, an intelligence analyst in Massachusetts State Police, an employee at the Financial Action Task Force, an official with the Moroccan government’s Ministry of Industry, Commerce and New Technologies and an employee at the Millennium Challenge Corporation.
Files lifted from these people, like NSF grant applications or records of court-ordered cell phone intercepts, contained potentially sensitive data.
Alex Cox, principal research analyst at a security firm called NetWitness, notes that this threat bears remarkable similarities to the malware behind the so called "Hilary Kneber" botnet discovered last February.