A huge spam wave dropping booby-trapped Microsoft Publisher (PUB) files has been spotted by security experts at Bitdefender. These PUB files deliver a newly-found Trojan, which, when attacks, opens a backdoor on the infected machines.
Bitdefender managed to detect a couple of thousands of the malicious email messages with all of them having the “.pub” files attached. The emails pretend to be invoices and orders coming from differed brands in China and the UK.
When a victim opens the PUB file, it triggers a VBScript which downloads a self-extracting cabinet (CAB) file on their computers. The CAB file, on the other hand, contains an Autolt script, a tool for running this script and one more file, which is encrypted with the AES-256 algorithm. Bitdefender discovered that one string from this Autolt script is the decryption key for the latter file.
The encrypted with the AES-256 algorithm file, in fact, a backdoor Trojan with whose help crooks establish a connection with the compromised PC.
Aside from that, the Trojan is also capable of recording passwords as they’re typed into login forms, dumping passwords from emails and browsers, logging keystrokes, collecting information about the compromised system etc.
The malware is currently being detected as Generic.Malware.SFLl.545292C as Bitdefender hasn’t given it a name yet. Security programs are detecting the Trojan spreading PUB files as W97M.Downloader.EGF.
What’s particularly strange about this Trojan`s distribution campaign is the fact in relies on PUB files, specific to Microsoft’s Publisher application which is included in the Office 365 suite.
“.pub is not your typical file format to host malware.” – says Adrian Miron, Head of Antispam Lab at Bitdefender – “Spammers have chosen it because people don’t usually associate this type of file with the possibility of infection.“
