Yesterday morning we began seeing a rather disturbing attempt to get users to click on malicious attachments. This malware campaign was made to look as if it came from The National Institute for Health and Care Excellence which is an offshoot of the Department of Health in the United Kingdom. It claims that the institute received a sample of the recipient's blood, though it doesn't say how or when it came across this sample which should alert people right away that something is amiss, and it goes on to say that after doing a complete blood count test on the sample the results showed very low white blood cell counts and a suspicion of a cancer.
This campaign was also only directed at domains with a .co.uk tld suggesting that the targets were all meant to be in the UK and familiar with NICE. It began around 4am local time (CST) which is 9am in the UK peaking at 6am CST or 11am in the UK, and we’ve seen roughly 300,000 pieces.
This campaign randomizes the name of the signing doctor and utilizes three different subject lines –
IMPORTANT:Complete blood count (CBC)result
IMPORTANT:Blood analysis result
The email further instructs the recipient to print out the results and take them to their family doctor, the results being a malicious zip file attached to the email. The name of the file is CBC_Result_[random alphanumeric string].zip. Inside the archive is a file with a double extension made to look like a PDF file but in actuality is an executable with a PDF icon.
If the attachment is unzipped and executed the user may see a quick error window pop up and then disappear on their screen like this:
But what they won’t see is the downloader then taking control of the victim PC. It immediately begins checking to see if it is being analyzed by making long sleep calls and checking to see if it is running virtually or in a debugger. It also makes several duplicate instances of itself just in case someone was attempting to shut down the original process. Next it begins to steal browser cookies and MS Outlook passwords from the system registry. The malware in turn posts this data to a server at 220.127.116.11 with the command /ppp/ta.php and punches a hole in the firewall to listen for further commands on UDP ports 7263 and 4400.
This is all very common behavior for the Zeus family of malware which is still very common in today’s attacks. Keep yourself informed and watch out for some of the common flaws that these malware campaigns employ such as addressing people by their email addresses as opposed to their actual names. Oftentimes generalities are used in the greeting with no names at all; this is a big red flag, especially when the content is trying to appear so personal. If there are any questions as to the legitimacy of any email, contact the supposed sender directly to authenticate.