Tag Archives: obfuscated code

Browsers Exploits Delivered as HTML Attachment

We have logged more than 300 email messages with attached various HTML files containing obfuscated javascript code that is used to redirect the users to download malicious executable files that install the ZBot banking trojan. We also noticed that some HTML files have redirected us to external urls containing web browsers exploit kits with the intent to exploit few IE, FF, PDF and Java vulnerabilities, in order to install TDSS rootkit in our system.

Example message:

Image

Example message:

Image

Example message:

Image

Most used email subjects are:

Please find my CV and cover letter attached.
Attached please find.
Enclosed please find.
Please find enclosed.
Please find CV enclosed.
The resume document is attached.
Enclosed is my CV for your consideration. Thanks
Resume.
My resume Pls.
Read my CV letter attached.
CV ready for you.
Important CV here.
Please take a look at the attached resume.
I have attached the resume.
616-13 like Important Information
Changelog 09.2010
Welcome Letter
Offer on Killington
Here’s that file that you wanted.
Attached file please find.
Please review the attached resume.