Spam Campaign Spreading Malware Disguised as HeartBleed Bug Virus Removal Tool

At the beginning of April, a vulnerability in the OpenSSL cryptography library, also known as the Heartbleed bug, made headlines around the world. If you haven’t heard of the Heartbleed Bug, Symantec has published a security advisory and a blog detailing how the Heartbleed bug works.

As with any major news, it is only a matter of time before cybercriminals take advantage of the public’s interest in the story. Symantec recently uncovered a spam campaign using Heartbleed as a way to scare users into installing malware onto their computers. The email warns users that while they may have done what they can by changing their passwords on the websites they use, their computer may still be “infected” with the Heartbleed bug. The spam requests that the user run the Heartbleed bug removal tool that is attached to the email in order to “clean” their computer from the infection.

This type of social engineering targets users who may not have enough technical knowledge to know that the Heartbleed bug is not malware and that there is no possibility of it infecting computers. The email uses social and scare tactics to lure users into opening the attached file.

One warning sign that should raise suspicion is that the subject line, “Looking for Investment Opportunities from Syria,” is totally unrelated to the body of the email.  

Heartbleed Bug 1.png

Figure 1. Heartbleed bug removal tool spam email

The email tries to gain credibility by pretending to come from a well-known password management company. The email provides details on how to run the removal tool and what to do if antivirus software blocks it. The attached file is a docx file which may seem safer than an executable file to users. However, once the docx file is opened the user is presented with an encrypted zip file. Once the user extracts the zip file, they will find the malicious heartbleedbugremovaltool.exe file inside.

Heartbleed Bug 2.png

Figure 2. Encrypted zip file

Once heartbleedbugremovaltool.exe is executed, it downloads a keylogger in the background while a popup message appears on the screen with a progress bar. Once the progress bar completes, a message states that the Heartbleed bug was not found and that the computer is clean.

Heartbleed Bug 3.png

Figure 3. Popup message

After the fake removal tool gives a clean bill of health users may feel relieved that their computers are not infected; however, this couldn’t be further from the truth as they now have a keylogger recording keystrokes and taking screen shots and sending confidential information to a free hosted email provider.

As detailed in the official Symantec Heartbleed Advisory, Symantec warns users to be cautious of any email that requests new or updated personal information, and emails asking users to run files to remove the Heartbleed bug. Users should also avoid clicking on links in suspicious messages.

Symantec detects this malware as Trojan.Dropper and detects the downloaded malicious file as Infostealer. Skeptic heuristics engine is blocking this campaign and detecting it as Trojan.Gen.

Fake AV Software Updates Are Distributing Malware

Fake AV 1 edit.png

Contributor: Joseph Graziano

A new clever way of social engineering spam is going around today that attempts to trick users into running malware on their computers. The methods malware authors are using include emails pretending to be from various antivirus software companies with an important system update required to be installed by the end user, along with attaching a fake hotfix patch file for their antivirus software. The email plays on end user concern over the lack of detection, especially in the face of the latest threats showcased in the media recently, such as the Cryptolocker Trojan. This type of social engineering entices users to open and install the hotfix without using much discretion as to what they may be actually installing. 

Symantec has observed a number of different email subject lines that include many well-known antivirus software companies:

  • AntiVir Desktop: Important System Update - requires immediate action
  • Avast Antivirus: Important System Update - requires immediate action
  • AVG Anti-Virus Free Edition: Important System Update - requires immediate action
  • Avira Desktop: Important System Update - requires immediate action
  • Baidu Antivirus: Important System Update - requires immediate action
  • Cloud Antivirus Firewall: Important System Update - requires immediate action
  • ESET NOD32 Antivirus: Important System Update - requires immediate action
  • Kaspersky Anti-Virus: Important System Update - requires immediate action
  • McAfee Personal Firewall: Important System Update - requires immediate action
  • Norton AntiVirus: Important System Update - requires immediate action
  • Norton Internet Security: Important System Update - requires immediate action
  • Norton 360: Important System Update - requires immediate action
  • Symantec Endpoint Protection: Important System Update - requires immediate action
  • Trend Micro Titanium Internet Security: Important System Update - requires immediate action

Although the subject line changes, the attached zip file containing the malicious executable stays the same.

Once the malware is executed, a connection is made to to download another file. The malware is using a process called ozybe.exe to perform tasks.


Protection & best practices

The Skeptic scanner of Symantec Email can block this and similar emails before it can even reach the end user. In addition, Symantec also detect the files associated with this attack using the following signature names:

Symantec advises following best practices to avoid becoming a victim of social engineering spam attacks:

  • Do not click on suspicious links in email messages.
  • Do not open any attachments from recipients you do not know or expect an attachment from.
  • Do not provide any personal information when replying to an email.
  • Use comprehensive security software, such as Norton Internet Security or Norton 360, which protects you from phishing and social networking scams.
  • Exercise caution when clicking on enticing links sent through email or posted on social networks.

APT1: Q&A on Attacks by the Comment Crew

Today Mandiant released a detailed report dubbed "APT1" which focuses on a prolific cyber espionage campaign by the Comment Crew going back to at least 2006 and targeting a broad range of industries. The report cites the earliest known public reference about APT1 infrastructure as originating from Symantec. We have detected this threat as Backdoor.Wualess since 2006 and have been actively tracking the group behind these attacks. The following Q&A briefly outlines some of the relevant Symantec information around this group:

Q: Do Symantec and Norton products protect against threats used by this group?

Yes. Symantec confirms protection for attacks associated with the Comment Crew through our antivirus and IPS signatures, as well as STAR malware protection technologies such as our reputation and behavior-based technologies. and Symantec Mail Security for Microsoft Exchange also detect the targeted emails used by this group.

Q: Has Symantec been aware of the activities of the Comment Crew?

Yes. Symantec has been actively tracking the work of the Comment Crew for a period of time to ensure that the best possible protection is in place for the different threats used by this group.

Q: Why are they called the Comment Crew?

They were dubbed the Comment Crew due to their use of HTML comments to hide communication to the command-and-control servers.

Q: How does a victim get infected?

The initial compromise occurs through a spear phishing email sent to the target. The email contains an attachment using a theme relevant to the target. Some recent examples used by this group and blocked by Symantec technologies are listed here:

  • U.S. Stocks Reverse Loss as Consumer Staples, Energy
  • Instruction_of_KC-135_share_space.doc
  • New contact sheet of the AN-UYQ-100 contractors.pdf
  • U.S. Department of Commerce Preliminarily Determines Chinese and Vietnamese Illegally Dumped Wind Towers in the United States.doc
  • ArmyPlansConferenceOnNewGCVSolicitation.pdf
  • Chinese Oil Executive Learning From Experience.doc
  • My Eight-year In Bank Of America.pdf

Similar to what Symantec indicated in a recent blog, if the malicious attachment is opened, it attempts to use an exploit against the target victim's system. It drops the malicious payload as well as a clean document to keep the ruse going.

Q: Does Symantec know who this group is targeting?

Yes. Symantec telemetry has identified many different industries being targeted by this group including Finance, Information Technology, Aerospace, Energy, Telecommunications, Manufacturing, Transportation, Media, and Public Services. The following Figure shows a worldwide heatmap for detections related to this group since the beginning of 2012.

Figure. Heatmap of Comment Crew related detections

Q: Currently, what are the most prevalent threats being used by this group?

Symantec, in the last year, has identified the most prevalent threats being used by this group as Trojan.Ecltys, Backdoor.Barkiofork, and Trojan.Downbot.

Q: Has Symantec released any publications around these attacks?

Yes. We have recently released publications to address techniques and targets of Trojan.Ecltys and Backdoor.Barkiofork, both of which are threats used by this group:

We have also investigated associated attacks of this group:

Q: What are the Symantec detection family names for threats used by this group?

Symantec also detects numerous other files used by this group under various detection names:

Q: Does Symantec have IPS protection for these threat families?

Yes. There are several IPS signatures to catch threat families associated with this group:

Q: How will this report affect the Comment Crew operations?

Despite the exposure of the Comment Crew, Symantec believes they will continue their activities. We will continue to monitor activities and provide protection against these attacks. We advise customers to use the latest Symantec technologies and incorporate layered defenses to best protect against attacks by groups like the Comment Crew.