Trend Micro researchers recently discovered a new spam campaign being distributed with a downloader under the guise of a .WIZ (detected by Trend Micro as W2KM_DLOADER.WIZ) and a .PDF file (PDF_MDROP.E), which then drops a backdoor (BKDR_COBEACON.QNA) payload. This spam campaign has been noted to target financial institutions.
Trend Micro has observed this spam campaign sending email to several email addresses associated with banks. WIZ is short for Wizard files used to guide users through steps on how to perform intricate or repetitive document types or tasks in Microsoft programs. Threat actors may have chosen the banking industry as its target because of its use of Wizards for processing documents such as bank and billing statements, and guiding their customers on filing income tax returns. Threat actors may have abused this to easily trick bank customers into accessing malicious .WIZ files via spam emails.
This malspam campaign is related to the recently discovered Marap, a downloader with modular features that allow cybercriminals to download other modules and payloads on affected machines. As observed by Trend Micro researchers, both of these malware campaigns share the same X-Originating-IP. However, instead of an .IQY file as its attachment of choice, the new spam campaign distributes .WIZ and .PDF files via a spam campaign that we’ve seen hit users in India, Taiwan, and Italy, among other nations.
Trend Micro also observed and closely monitored the .IQY-distributing spam campaign around the time Marap was first reported. On August 28, 2018, we saw another malware campaign carrying .WIZ, and .PDF files.
Trend Micro™ Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. It protects Microsoft Exchange, Microsoft Office 365, Google Apps, and other hosted and on-premises email solutions. Trend Micro™ Email Reputation Services™ detects the spam mail used by this threat upon arrival.
Trend Micro™ OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence, offering comprehensive protection against advanced malware.