Spammers Setup Fake Surgical Strikes on Syria

Contributor: Binny Kuriakose

Spammers continue to leverage the crisis in Syria for their personal gain. Besides taking advantage of a scam message that claimed to be from The Red Cross, spammers are now taking advantage of emails about the news in Syria. They have snuck in a few malicious messages containing random URLs that entice users to go to a compromised malicious website that hosts obfuscated JavaScript codes that downloads the Trojan, Downloader.Ponik.

When the Trojan is executed, it may create the following files:

  • %TEMP%\[RANDOM CHARACTERS FILE NAME].bat
  • %UserProfile%\Local Settings\Application Data\pny\pnd.exe

The files then inject a malicious executable payload, which may allow the attacker to steal passwords and sensitive information.  

The subject line of the emails has no connection to the body of the message:

Completed: Please DocuSign this document : Confidential Company Agreement 2013..pdf

The body of the email contains the following data and has an embedded URL with the following pattern, “http://xxxxx.xxx.xx/xxxxx/index.html”.

Syria email 1 edit.png

Figure 1. Spam email contents

Most of the attacks exploit vulnerabilities on the user’s computer that have not been updated or patched on time. Users are advised to keep their software and antivirus protections up to date, and to not click on any suspicious links or open files from unsolicited sources.

Symantec provides regular security updates to stave off any such attacks from spammers.