Massive malware spam campain to corporate domains in Colombia

Published: 2015-05-01
Last Updated: 2015-05-01 18:46:28 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
6 comment(s)

There was a massive malware spam campain directed to corporate domains in Colombia. The following was the e-mail received:

ACH spam e-mail

Now this e-mail has two interesting aspects:

  • It is tracking if the user reads the message using the google analytics API by invoking the following:
    img src=3D
  • It has a link to a dropbox file being masqueraded with the google url redirection script:

When opened, this document has embedded a visual basic script that downloads a known trojan password stealer designed for colombian banks.

This domain uses a private registation service, avoiding to know the identity of the registrar:

frterminales private registration

Be careful when opening unknown e-mails. You could be leaking information and compromising your computer, even when you see google domain in the URLs.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
e-mail: msantand at isc dot sans dot org

6 comment(s)
ISC StormCast for Friday, May 1st 2015


Diary Archives