Bitdefender announced a wave of targeted spam, currently infects Windows computers via a backdoor, allowing cybercriminals to steal sensitive business information. The Antispam Bitdefender Labs researchers have identified a few thousand emails containing attachments with .pub as extension and posing orders or goods bills. The senders of these emails impersonate employees usually working in small and medium businesses in the UK and China, but not only, other larger companies are also targeted.
Recipients are invited to open attachments with Microsoft Publisher, a Desktop Publishing Software (DTP), integrated with Microsoft Office 365. Publisher is commonly used to edit and format text, or create flyers, newsletters, e-mailings, etc.
".pub is not a frequently used file extension to distribute malware," says Adrian Miron, Chief of the division of Antispam Bitdefender Labs. "Spammers have chosen this type of file, because, in general, people do not realize it can be a vector of infection."
The infected .pub extension contains a script (VBScript) that incorporates a URL acting as a remote host. From there, the malware downloads a self-extracting file containing AutoIt script tool to run the script and content encrypted AES-256.
Bitdefender's antimalware researchers noted that this encrypted file can be decrypted using a key derived from the MD5 (Message Digest 5), a text written inside the file AutoIt. The AutoIt script decoded MD5 for the decryption key once the file is decrypted and installed, the attackers then have access to the system through a backdoor and can control the resources on the compromised computer. The malware can memorize keystrokes to store passwords and user names, steal login information from web browsers or e-mails, view system data and perform other intrusive actions. "We have reason to believe that this type of attack comes from Saudi Arabia and the Czech Republic, "adds Adrian Miron. BitDefender detects and blocks this .pub file named W97M.Downloader.EGF and payload the backdoor as Generic.Malware.SFLl.545292C0. to stay protected against such threats, BitDefender advises companies to install a reliable spam filter. Users should avoid opening and downloading suspicious attachments from unknown sources. By Alexandru Rusu technical analysis, Antimalware Research and Adrian MIRON, Head of Division at Bitdefender Antispam.