CSIS has observed and analyzed several spam emails sent in ”targeted spam campaigns” where the attached file either is an RTF or an RTF packed in a zip archive.
RTF means Rich Text Format and is used in connection with word processing. Most Windows installations with Microsoft Office will as default open RTF documents in Microsoft Word and this is where the risk is introduced. When opening the attached rtf file, the attacker will use social engineering and tempt the victim to double-click on an embedded OLE object inside the document. If the victim double-clicks the object a CPL file will be served. No exploits have been observed in these attacks. It sorely relies on social engineeing.
CPL files are system files primarily connected with Windows Control Panel Extension but can be used for running arbitrary commands and this is exactly the process this gang is using.
If the user ignores several warnings and despite opens the CPL file it will make a HTTP GET against a download server where it will fetch and run a binary file.
This binary file is an information thief in the ZeuS class but it has been significantly improved and contains several new qualities that a.o. open in-session webinjects and MiTM (Man in the Middle) attacks. This is a.o. done by installing a CA root certificate and at the same time modifying local DNS settings. Several rogue DNS servers have been identified.
Changing the DNS also avoids the infected host to connect to several domains related to antivirus vendors, software and support portals and security companies (small snippet):
avg.com
softonic.com
domaintools.com
siteadvisor.com
staples.com
avast.com
norton.com
mcafee.com
avira.com
comodo.com
eset.com
malwarebytes.org
virustotal.com
bitdefender.com
trendmicro.com
majorgeeks.com
lavasoft.com
mcafeesecure.com
spamcop.net
sophos.com
[…]
The code is protected using a Visual Basic (VB) cryptor on top of the win32PE. This protects the underlying code from antivirus detection but which at the same time makes static and dynamic analysis more troublesome.
The VB-cryptor being used can be linked to at least two groups of IT criminals making systematic and targeted attacks on homebanking systems across Europe. The cryptor can be recognized by various “compile” remnants that a.o. reveal the following: “bubu.vbp”.
We have dubbed this ZeuS/Citadel variant ”Zalabu” (internal naming). Microsoft have named it “Retefe”. It is to be considered as a serious threat. It harvests data, can spam emails from the infected machine to a list of friends harvested on the local machine, and at the same time it can perform real-time MiTM attacks against various online services.
Another interesting observation is the fact that the code also tries to disable Microsoft Anti-malware protection.
The campaigns are geographically targeted and are distributed in several languages.
We have blocked several domains in CSIS Secure DNS whereby also Heimdal PRO and corporate customers are protected against data leakage and remote control of compromised machines.
Microsoft has also done a write-up on this campaign/malware with some additional details:
http://blogs.technet.com/b/mmpc/archive/2014/02/27/a-close-look-at-a-targeted-attack-delivery.aspx