Symantec has observed an ongoing spam campaign targeting Brazil-based companies and other firms that use Portuguese-language computers around the globe. The attackers behind the campaign appear to be interested in obtaining access to email accounts to ultimately steal sensitive information.
We’ve observed more than 40,000 emails related to this campaign so far. Symantec has observed the attacks affecting medium-to-large businesses mainly in Brazil. In this operation, the attackers seem to limit their reach to Portuguese-language computers. However, we have also seen attacks against a small number of well-known non-Brazilian companies, especially ones that have affiliated businesses and branches dealing with Portuguese-speaking regions worldwide.
Figure 1. Chart showing the number of spam emails sent by attackers from January 13-20
The malicious emails are simple yet effective. The messages use a run-of-the-mill financial theme to make recipients believe that money has been transferred to their bank account.
How the campaign works
The emails entice recipients to open the attachment, which is disguised as a receipt. As of our latest analysis, the attackers have slightly changed their emails’ social-engineering technique. They now use the email subject “Emissão de nota Fiscal [RANDOM NUMBER]” (translation: Issued invoice).
Figure 2. Email sample in Portuguese containing a malicious attachment disguised as a receipt
The message’s attachment, however, is actually a malicious .vbs file detected by Symantec’s .Cloud email solution as Trojan.Gen. Symantec and Norton’s antivirus products detect it as VBS.Downloader.Trojan.
The .vbs file downloads other malicious files from its command and control (C&C) server onto the compromised computer. The following includes examples of the URLs used to download the final payloads (where [NUMBER] could be between 0 and 500):
- http://sfgHwttisgg.guildx200[NUMBER].changeip.net/02/[MALICIOUS FILE NAME]
- http://sfghtidcnuf.guildx200[NUMBER].changeip.net/01/[MALICIOUS FILE NAME]
- http://sfghupwtkta.guildx200[NUMBER].changeip.net/01/[MALICIOUS FILE NAME]
- http://sfghyojuotuk.guildx200[NUMBER]changeip.net/01/[MALICIOUS FILE NAME]
The .vbs file downloads the following files:
The malicious .dll executes svchost.exe to inject code into it. The .dll then reads from the infostealer, until it finds a window with the title "guildmaxx-OK".
The .dll then gives the “go” signal to allow the infostealer to execute. The infostealer only runs if the compromised computer’s System Locale is set to Portuguese. Once activated, the infostealer sends system information back to its C&C server and waits for new commands. These could include requests for email and browser passwords that were collected using the files detected as PasswordRevealer.
Figure 3. Malware’s infection chain
Key to the castle
Why are the attackers targeting email accounts? Emails contain a lot of information and may provide a way to access various services, both internal and external. In this campaign, the attackers may gain access to employees’ email accounts and from there, reach internal services and sensitive information, including financial data, source code, employee information, and contacts. The attackers may also use the stolen information for further spam campaigns and targeted attacks.
As the spammers in this case use basic social-engineering tactics in their campaigns, users should adhere to the following best practices to avoid having their computers compromised:
- Do not open attachments or click on links in suspicious email messages
- Avoid providing any personal information when answering an email
- Never enter personal information in a pop-up web page
- Keep security software up to date
- If you’re uncertain about an email’s legitimacy, contact your internal IT department or submit the email to Symantec Security Response through this portal.
A full protection stack helps to defend against these attacks, including Symantec.cloud email blocking, web gateway security, and endpoint security. Symantec’s Phishing Readiness solution can also be used to help prevent phishing intrusions.
Symantec and Norton products protect users against the malware seen in this campaign under the following detections:
Skeptic (.Cloud protection)
Intrusion Prevention System: