At the end of last week, we were made aware of a new targeted attack. The social engineering strategy and malware construction caught our attention because of its sophistication. The threat came as an e-mail addressed to a director at a company based in Canada. The e-mail was addressed with the full name, street address and phone number of the victim, which made the message very credible. It claimed to be from the Canadian government and asked the recipient to download and fill out a PDF form.
If the recipient clicked on the link, then a file with a PDF icon was downloaded with the recipient’s name as the filename.
When executed, the malware downloads additional programs from a compromised web site.. "At the time of writing, the server hosting the additional files is located in the United States.. One of the downloaded programs is a complete installation of Apache web server that has been configured to run as a proxy server on the local machine. A proxy server is a program which redirects all network traffic through itself." The malware also modifies the hosts file of the computer to redirect access to banking and online trading sites through the proxy server it installed. The purpose of this malware attack is to steal account information. Once the attacker is in possession of this information, he can wire the money to another account or sell it to a third party that will take care of the withdrawal. This malware has one last trick to let the user think he is really dealing with a form from the government. After infection, it will download a PDF file from the Canadian government’s website and display it to the user. It is to be noted that the attacker made an error here since the PDF form is for a different Province but the trick could still have been effective.
This threat was first detected by Nod32’s proactive detection. Upon reception of the sample, only a very limited set of scanners had detection for this malware. After analysis of the sample, it was given the name Pachat.A.
Author Pierre-Marc Bureau, ESET