Windows PCs Infected with Backdoor Trojan via Microsoft Publisher Files

[Batu69]

Trojan can steal passwords, log keystrokes

 Two spam email samples spreading the new trojan

 

Bitdefender security researchers say they've uncovered a spam flood spreading booby-trapped Microsoft Publisher (PUB) files laced with a new trojan that opens a backdoor on infected computers.

The company says it detected a few thousands of these emails in a short period, all containing .pub files attached to the email messages.

The spam itself claimed to come from various brands in the UK and China and tried to pass as orders and invoices.

PUB file -> VBScript -> AutoIt script -> Backdoor Trojan

The attached PUB file, when opened, would trigger a VBScript that downloads a self-extracting cabinet (CAB) file on the user's PC.

This file contains an AutoIt script, a tool for running the AutoIt script, and a file encrypted with the AES-256 algorithm. Bitdefender's team noticed that a string from the AutoIt script serves as the decryption key for the latter file.

The encrypted file is actually a backdoor trojan that allows crooks to connect to the infected PC.

Trojan can log keystrokes, steal passwords

This trojan can also log keystrokes, record passwords as they're typed into login forms, dump passwords from browsers and email clients, gather information about the infected system, and more.

Bitdefender's team hasn't bothered naming the malware, which is currently detected only as Generic.Malware.SFLl.545292C. The PUB files spreading the trojan are detected in security alerts as W97M.Downloader.EGF.

What's strange about this malware distribution campaign is the usage of PUB files, specific to Microsoft's Publisher application, one of the apps included in the Office 365 suite.

".pub is not your typical file format to host malware," Adrian Miron, Head of Antispam Lab at Bitdefender, says. "Spammers have chosen it because people don’t usually associate this type of file with the possibility of infection."

Article source