Sign up to our newsletter
Security researchers have uncovered a trojan that evades sandboxes specifically targeted at corporate users, hidden in legitimate looking phishing emails that ape Microsoft’s Volume License.
The emails, according to Softpedia News, imitates legitimate emails from Microsoft Volume Licensing Service Center, including a personalized greeting and the email address of the victim in the URL string, making it seem more realistic than the average phishing email.
The message informs the recipient that they now have administration permissions for handling volume licenses, and points victims to a compromised WordPress server, across four domains. The pages contain genuine pages from the Microsoft Volume Licensing Service Center to further the illusion.
The phishing scam was uncovered by Cisco’s Martin Nystrom, who went into great detail about the malware it is spreading, which The Register describes as “slightly neurotic in its bid to evade detection”, as it searches for sandboxes and is capable of putting itself to sleep for 30 minutes to avoid being spotted.
“The malware seemed to know it was being analyzed and exited after 20 seconds without doing anything,” Nystrom wrote. “[It] sleeps to wait out automatic sandbox analysis before starting to communicate on the internet,” he added.
It has a number of other tricks up its sleeve, including “copying itself under a different file name only to return to its original name” – a trick designed to “cause some sandbox systems to fail.”
Given the careful steps the malware takes to go about its business undetected, it’s perhaps unsurprising that its Command and Control Servers are located in the Tor network. The malware uses Tor2Web to connect directly via a web browser, without connecting to the network.
For information on avoiding phishing scam, be sure to read David Harley’s in-depth analysis on phishing techniques. The email below also provides some helpful quick pointers.
Author Alan Martin, ESET