Wedding-Inspired Spam Leads to Kuluoz Infection
by Larry
Weddings, no doubt, are always special. It is celebrated in more ways than one, depending on the culture, country, religious affiliation and tradition a couple belongs or wish to adhere to. However it is practiced, one thing is certain: the preparations and plannings behind it have been grueling, stressful and time consuming.
Thanks to technology and human ingenuity, wedding preparation is more manageable and a lot quicker to pull off than before. For one thing, there are services available online that cater to the soon-to-be-wedded who opt for the modern way of sending out wedding invitations in the form of e-cards.
Our researchers in the AV Labs captured a malicious spam appearing to be a wedding invitation purportedly from White Wedding Agency, a business entity in Prague:
Malicious wedding invitation spam click to enlarge
From: {random email address}
Subject/s:
Wedding Invite
Wedding Invitation
Message body:
You are Cordially Invited to Celebrate
the Our Wedding
On Tuesday March the 29 at Four O’clock
Followed by a Reception
Get Full Invitation Text
Clicking the link at the bottom of the message downloads a ZIP-compressed file. The file looks like this once decompressed:
Postal-Receipt.exe click to enlarge
Notice that the file uses an icon that mimics the look of a Microsoft Word document file, an attempt to mask its true file type (which is an executable). As we have seen before, this method is most effective especially if the user did not set the option to view file extensions by default.
We also found out that the malicious file is hosted on legitimate but compromised websites. It has the following URL format:
{compromised domain}/components/.{random alphanumeric characters}.php?receipt=ss00_323
Below are the determinations of the malware as per our ThreatAnalyzer results:
Malware Determinations for “Postal-Receipt.exe” click to enlarge
If users execute the file, it drops and opens the text file, Postal-Receipt.txt, as a way to distract users from noticing activities being done by the malware in the background. Below is a screenshot of the said file:
Profile-Receipt.txt click to enlarge