According to Websense Security Labs™ and the Websense ThreatSeeker® Network, they have detected malicious emails disguised as HSBC Notifications. A closer look at these emails, like the one you can see below, reveals that the link provided in the emails is a compromised URL belonging to the Philippine Bureau of Immigration.
Clicking the link prompts the user to download a malicious file called "atualizar.exe".
The Philippine Bureau of Immigration is using Joomla as their CMS and there is a file named “atualizar.php” which is a Portuguese word and translate to “update.php”.
The file was probably replaced or inserted maliciously. This link “http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php” if you hit it, the HTTP response status code is 302 which is the most common way of performing a redirection. It redirect to “http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe” which probably contain the actual payload…
1:
2: [kramfs@viasvr temp]$ wget http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php
3: --2011-08-10
4: 17:15:03-- http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php
5: Resolving
6: immigration.gov.ph... 124.6.144.116
7: Connecting to
8: immigration.gov.ph|124.6.144.116|:80... connected.
9: HTTP request sent,
10: awaiting response... 302 Found
11: Location: http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe
12: [following]
13: --2011-08-10 17:15:04-- http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe
14: Reusing
15: existing connection to immigration.gov.ph:80.
16: HTTP request sent, awaiting
17: response... No data received.
18: Retrying.
19: --2011-08-10 17:15:05-- (try: 2) http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe
20: Connecting
21: to immigration.gov.ph|124.6.144.116|:80... connected.
22: HTTP request sent,
23: awaiting response... 200 OK
24: Length: 699460 (683K)
25: [application/x-msdos-program]
26: Saving to: âatualizar.exeâ
27: 100%[============================================================================>]
28: 699,460 63.4K/s in 12s
29: 2011-08-10 17:15:17 (57.2 KB/s) - âatualizar.exeâ
Trend Micro flag this file as malicious….
You can find the VirusTotal analysis results for this .exe as it is detected by different AV solutions.
Source Reference: Websense Security Labs
