Flattr this!

Specialists M86 Security Labs discovered who was behind the growth of spam with malicious HTML-attachment, which was celebrated in the early days of 2012. Was convicted botnet Cutwall .


Previously, HTML-letter mostly used for phishing, but since January this year began sending periodic attacks of HTML-documents containing malicious script. On the side of the mail client, it looks like.

This illustration shows how to open a letter in the mail client Mozilla Thunderbird. The default settings of the program will not allow the JavaScript, and for the execution of malicious code, the user must manually open the HTML-file by clicking on it.

Another image of the bottom – an example of a more recent spam campaigns. The letter says that it contains an invoice from a certain company. In this case, the user calls to open the attachments in your browser. The attached file seems harmless, and demonstrates the default browser icon.

The source code of HTML-file contains the following code.

This element creates a frame, which should open in the same browser window. The frame directs the user to the site with a set of exploits Phoenix Exploit Kit, who is trying to install a Trojan on the computer bank Cridex.

Screenshot of the control module contains the Phoenix referrers indicating which site the user came from. An empty box means redirection of the mail client. As you can see, the efficiency of infection of these users are not so high, only 15.56%.