Wedding-Inspired Spam Leads to Kuluoz Infection

by

Apr
02
2013

avatar1 (Small)

Weddings, no doubt, are always special. It is celebrated in more ways than one, depending on the culture, country, religious affiliation and tradition a couple belongs or wish to adhere to. However it is practiced, one thing is certain: the preparations and plannings behind it have been grueling, stressful and time consuming.

Thanks to technology and human ingenuity, wedding preparation is more manageable and a lot quicker to pull off than before. For one thing, there are services available online that cater to the soon-to-be-wedded who opt for the modern way of sending out wedding invitations in the form of e-cards.

Our researchers in the AV Labs captured a malicious spam appearing to be a wedding invitation purportedly from White Wedding Agency, a business entity in Prague:

image002 (Small)

Malicious wedding invitation spam                                                               click to enlarge

From: {random email address}
Subject/s:

Wedding Invite
Wedding Invitation

Message body:
You are Cordially Invited to Celebrate

the Our Wedding

On Tuesday March the 29 at Four O’clock

Followed by a Reception

Get Full Invitation Text

Clicking the link at the bottom of the message downloads a ZIP-compressed file. The file looks like this once decompressed:

image003 (Small)

Postal-Receipt.exe                                                                                               click to enlarge

Notice that the file uses an icon that mimics the look of a Microsoft Word document file, an attempt to mask its true file type (which is an executable). As we have seen before, this method is most effective especially if the user did not set the option to view file extensions by default.

We also found out that the malicious file is hosted on legitimate but compromised websites. It has the following URL format:

{compromised domain}/components/.{random alphanumeric characters}.php?receipt=ss00_323

Below are the determinations of the malware as per our ThreatAnalyzer results:

image004 (Small)

Malware Determinations for “Postal-Receipt.exe”                              click to enlarge

If users execute the file, it drops and opens the text file, Postal-Receipt.txt, as a way to distract users from noticing activities being done by the malware in the background. Below is a screenshot of the said file:

image005 (Small)

Profile-Receipt.txt             click to enlarge

Comments are closed.