A very malicious spam campaign has been detected and reported by the good folks at m86 Security Labs. The attack consists of emails appearing to come from reception desk managers at various hotels, targeting Visa users. The emails exhibit subject lines such as “Hotel Sutton Place made wrong transaction” and “Wrong transaction from your credit card in Four Seasons Resort Scottsdale” and contain a rather long explanation in very bad English, claiming that the hotel has charged your credit card for over $1,000 by mistake.
To summarize, the email generally says, “Please see the attached form. You need to fill it in and contact your bank for the return of funds,” and offers an attachment named RefundFormXXX.zip (XXX represents a random three digit number). The unzipped file is Refund-Form.exe which is outfitted with the icon for an Excel file in order to encourage opening (executing) it. Once executed, the malware downloads another executable from a Russian domain which is a fake AV application named “Security Protection”.
An HTTP request is sent to 126.96.36.199, requesting a module called ‘grabbers’ from load.php. A file called update.dat is retrieved, which is actually an encrypted Windows .dll file. Once decrypted it acts as a password stealer looking for stored passwords and targeting a huge number of applications including instant messaging programs, poker clients, FTP clients and web browsers.
Roughly one day after all of this malicious activity takes place, another HTTP request is sent, retrieving another fake AV called “Personal Shield Pro.