News of South Korea Ferry Used for Spam Evasion
News of a maritime disaster happening on South Korea waters hit full force on April 16, 2014. MV Sewol, a South Korean vessel, capsized off of the country’s southern coast.
While the world was still reeling from the horrific turn of events, cybercriminals began getting to work. Just mere hours after this event was reported worldwide, we have seen some spammed messages using this piece of news. In the samples that we have observed, the actual news is not used as bait but made as part of the message itself.
Figure 1. Spammed message
Notice that everything else in the spammed message speaks of nothing about the ferry incident. However, looking at the entirety of the message, one finds the incident used at the bottom of the message. This technique, adding random clips of incidents or news that maybe relevant given the date and time, is used by spammers to avoid email filters.
Once email of this kind gets through your filters, only your anti-malware solution and your ability to distinguish legitimate emails from spam are the only protections that you can rely on. Notice that in the image above, there is an attachment that points to a court appearance notification. Once you mistakenly open said attachment, a backdoor runs on your computer. Further analysis of this particular case lead us to the detection of the attachment as BKDR_KULUOZ.SMAL. This backdoor can allow a remote malicious user to perform commands like update the malware version, download and execute files, and set the computer to idle or sleep.
KULUOZ is known to be distributed by the Asprox botnet. KULUOZ downloads other malware such as FAKEAV and ZACCESS, as well as install components of the Asprox botnet on your computer, possibly making your computer a spam distributor. Further analysis revealed that this particular KULUOZ variant is part of the Asprox botnet.
Events like this, unfortunate as they are, are the items that spammers and cybercriminals use to further their activities. Cybercriminals often use just-occurred events as they know there is a demand for more information—any information—about said events. In that type of situation, people might be more inclined to open emails or click any links.
While Trend Micro products readily filters email messages of this nature and prevents execution of malicious attachments, your best line of defense also is your knowledge. Identify spam from legitimate email by looking closely at the sender, the subject, and the message. Most spam use bogus email addresses, and subject lines and/or messages that are attention-catching. Identifying spam saves you a lot of time and headache associated with keeping your data and your computer safe.
With additional analysis from Mark Aquino