Coffee Served Hot With Cream and Malware!

 Analysis by: Mark Christian Aquino

Social engineering finds its way to greet you with coffee in this spammed message. The message purports to be coming from the coffee chain Starbucks, and entices the user to open the email by telling the recipient that it is a gift from a friend. The said gift is to opened in the attachment, which turns out to be an executable file that Trend Micro detects as malware.

Upon closer inspection of the message, the From field reflects various email addresses and does not reflect as coming from the coffee company. The attached file named Starbucks Coffee Company gift details on 12.04.2014.exe is actually a ZBOT variant we detect as TSPY_ZBOT.YYJR. It then drops a NECURS variant detected as RTKT_NECURS.BGSG. The NECURS malware is notorious for final payload of disabling computers’ security features, putting computers at serious risk for further infections.

All the spammed mail and their variants, along with their embedded URLs and malware are detected and blocked by the Trend Micro™ Smart Protection Network™.

 SPAM BLOCKING DATE / TIME: April 09, 2014 GMT-8
 TMASE INFO
  • ENGINE:7.5
  • PATTERN:0622