An email spamming campaign has been identified by SecureList which is being used, currently, to attack computers in Brazil. However, while the majority of victims are located in Brazil, the malware is also being used to target users in Spain, Portugal, the United States and beyond.
To avoid detection, the attackers have encrypted a malicious payload in a malicious PNG file – a common image format many people do not usually link to malware.
The image file is not attached to an email and sent in a spam message, instead the first attack takes place using a PDF file including a malicious link. The PDF file is sent out in spam emails which use social engineering techniques to trick users into opening the attachment. The PDF file does not use any malicious code, instead it uses a link to infect users. Visiting the link in the PDF file begins the infection process.
The link is used to get users to install a malicious Java JAR file, which in turn installs an infected ZIP file. The zip file includes a number of other files, including a malicious PNG file, or file with a PNG header. Researchers analyzed the binary file and found that the PNG file size was much greater than it should be for the size of the image.
Further investigation showed how the malicious PNG file was loaded to the memory – using a technique titled RunPE which is used by hackers to hide malicious code behind a legitimate process. In this instance that process is iexplore.exe.
The malicious PNG file cannot infiltrate a user on its own, as a launcher is required to decrypt the contents of the file. The scammers send the PDF file to start the infection process. Since the zip file includes the PDF extension, users installing the file are likely to double click to open, thus infecting their systems. As the malicious code in the PDF file is encrypted, it is not detected up by antivirus software. However, SecureList points out that the malicious files used in this attack are noticed by Kaspersky Lab products.