by Dave Michmerhuizen & Luis Chapetti – Security Researchers
If you were in the business of distributing malware that steals computer credentials, wouldn’t you want to get your payload installed on the computers of people with money – LOTS of money? Barracuda Labs recently detected a spam campaign that tries to do just that by targeting hedge fund managers.
The pitch is in a short and simple spam that offers advice about carried interest fees.
Carried interest is a topic of particular interest to hedge and private equity funds. It is an accounting mechanism used to return income to funds and it’s tax status has been the subject of some debate. For this reason, any email purporting to have information about carried interest fees is likely to raise the curiosity of financial professionals. Spammers rely on that curiosity to get their malware installed.
Opening and running the attachment (never run attachments!) loads and displays a PDF file which is actually relevant.
Meanwhile, the program installs a keylogger which captures keystrokes and loads them to a remote server using FTP.
Because the FTP protocol is unprotected, we were able to look at the remote server that receives the files. Each entry in the list shown corresponds to keystrokes and files from some computer whose owner ran the Trojan.
Never trust an attachment sent to you in email, even if the source appears reputable. In cases like this we suggest you first save the attachment to disk and then send it to the virus scanning service virustotal.com. That site subjects the attachment to over 40 different malware scanners, and returns a report for the attachment from this spam.
Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails. Barracuda Web Filters and the Barracuda Web Security Flex service stop the download of this threat.