We recently observed a small spam campaign that was targeting random users. The campaign focused on users in India.
Figure 1. Heatmap of compromised computers related to the spam campaign
The emails contained a malicious attachment, detected as Spyware.Redpill, which is used by the bad guys to steal confidential information.
Spyware.Redpill is not new by any means; back in 2008 we created a signature for Spyware.Redpill to protect users. Redpill was designed to collect information for people wishing to know if their partner had been cheating on them. The name “red pill” was a nod to the Matrix film franchise, the red pill and its opposite, the blue pill were the choice between the blissful ignorance of illusion (blue) and embracing the sometimes painful truth of reality (red).
Opening the attached file will display an error message in order to hide the malicious purpose of the file and trick the user into thinking that the file is corrupted.
Figure 2. Error message displayed when the file is opened
In this particular case, the user might think that nothing happened, but unfortunately the malware has been executed and has already begun to steal information.
In the background the malware installs itself on the compromised computer by creating the following files:
- %ProgramFiles%\[RANDOM CHARACTERS FOLDER NAME]\ad.dll
- %ProgramFiles%\[RANDOM CHARACTERS FOLDER NAME]\[RANDOM CHARACTERS FILE NAME].exe
Moreover, in order to be executed whenever Windows starts it creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ “[RANDOM CHARACTERS REGISTRY ENTRY]” = "%ProgramFiles%\[RANDOM CHARACTERS FOLDER NAME]\[RANDOM CHARACTERS FILE NAME].exe "
Subsequently, the threat begins to record keystrokes and take screenshots.
The stolen information is sent to an email account hardcoded into the program. In our investigations we found details of the email account used by the attacker to receive the stolen data—for instance it received over 12,000 emails in March 2013. It is clear from this that the people behind this scheme are not looking for information on hundreds of cheating spouses, but are instead after valuable personal information and account details.
What kind information was being stolen?
- Credentials for various social networking accounts
- Bank account details
- Emails written on the compromised computers
- Screenshots of documents
Interestingly the malicious email account also has a backup email address. We have traced that email address to a member of an underground forum where this person was looking to buy email accounts, possibly in order to create and ship new malware variants with different hardcoded credentials built in.
Figure 3. Attacker looking to buy email account
In order to avoid this kind of attack, we recommend that users do not open unknown attachments and make sure that best security practices are followed. Ensure that the most up-to-date software patches are in place, and use the latest Symantec technologies and virus definitions for the best protection against threats.