Just a few hours ago after the first incident of TROJ_BAGLE.EY
in the Email Honeypot, I have noticed another sample in MailTrap
that is taking the rounds. So, I quickly checked the sample, which is detected as
PAK_GENERIC.001.
Though, there’s nothing new or special with this backdoor it
reaches a total count of 280 samples in less than 3 hours. This
must have been the result of massive spamming that we are facing
today. Just like what I have noticed in the sample count of the
recent TROJ_BAGLE.EY; it is packed with UPolyX but we have
intercepted 870 samples (at the time of writing) all with the same
MD5 hash. The point is, it is packed with a polymorphic packer but
we are getting numerous copy of only one generation of the sample!
Why? It is all because of what I’ve just mentioned, massive
spamming. Oh well.. :(
The sample which arrived as a zip file has a file size of 10,090
bytes and an MD5 hash of 87B40A62BD5D8FD2A5ED24C16B92B5D1. The
filenames might be one of the following.
- Article+Photos.zip
- Article.zip
- article_July_0077.zip
- article_July_1726.zip
- article_July_1734.zip
- article_July_1823.zip
- article_July_2417.zip
- article_July_2614.zip
- article_July_2865.zip
- article_July_4409.zip
- article_July_4988.zip
- article_July_5503.zip
- article_July_6301.zip
- article_July_7817.zip
- article_July_8048.zip
- article_July_8092.zip
- article_July_8477.zip
- article_July_8491.zip
- article_July_9935.zip
- ArticlePhotos.zip
- CCTV-footage.zip
- CCTVstill.zip
- Photo+Article.zip
- PhotoandArticle.zip
- Photos.zip
- suspectimage.zip
- Suspectphoto.zip
- suspiciousphoto.zip
Here is the sample email.
