Paul Walker’s Death Used to Spread Personalized Trojan Horses

It was only a few months ago that Paul Walker that left us in a fiery car accident. These days it is common for spammers and malware writers to use a celebrity’s death to spread malware. In this case, it started with emails with links to a video of Paul Walker’s car on fire, but instead contained a link to a malicious file.

In the latest slew of emails, the sender makes a plea to the victim to find a Dodge Viper GT that was supposedly racing with Paul Walker’s car. The email asks that anyone with information call a number in the email or open the attached file to view a picture of the Viper GT’s driver. In every sample we have dealt with there is always a promise of reimbursement or compensation for helping capture the Viper GT’s driver.

These attacks are unique because of the regular change of subject lines and body text to bypass spam filters. The attacker tries to personalize the email with the recipient’s name in the body, subject, or attached file name.

Each executable file is made specifically for the email address it is sent to and is compiled just before the email is sent. The sender’s email address is always an aol.com email account that has most likely been hacked or otherwise compromised. Whenever a user is compromised, their address book is harvested to continue the chain of personalized emails.

figure1_16.png
Figure 1.
Email about Paul Walker’s death with malicious attachment from January 30, 2014

figure2_15.png
Figure 2.
Email about Paul Walker’s death with malicious attachment from January 31, 2014

Once the malicious file has been executed an error notification is sent indicating that a  32-bit or 64-bit computer is needed to run the file. It may also indicate that the user does not have sufficient permissions to run the file even though the malware continues to run in the background.  The Trojan will start to perform DNS queries through a list of domains with similar names until the malware gets a DNS query return and then it will connect to that URL to download a file into the following directory:

"%UserProfile%\Application Data\amhldfbyjmg\kskzjmtypb.exe”

Once the file (kskzjmtypb.exe) is downloaded, it runs and connects to p9p-i.geo.vip.bf1.yahoo.com to download qr1aon1tn.exe. When this runs, it drops the following file:

"%UserProfile%\Application Data\amhldfbyjmg\fdxeuzv.exe”

Symantec detects this malware as Trojan Horse.

Symantec advises users to be on their guard and to adhere to the following security best practices:

  • Exercise caution when receiving unsolicited, unexpected, or suspicious emails
  • Avoid clicking on links in unsolicited, unexpected, or suspicious emails
  • Avoid opening attachments in unsolicited, unexpected, or suspicious emails
  • Keep security software up-to-date
  • Update antispam signatures regularly

Symantec constantly monitors spam attacks to ensure that users are kept up-to-date with information on the latest threats.