The Trojan Matryoshka: April’s Malicious Spam

By   ISBuzz Team
Writer , Information Security Buzz | May 30, 2014 01:12 am PST

Malicious attachments in April came disguised as e-greetings and notifications about faxes. In the case of the former, alleged Easter greetings turned out to be the Fareit.aonw Trojan with fairly limited functionality: it didn’t try to steal any passwords, but did download and launch a far more dangerous Zbot Trojan-Spy designed to attack servers and steal personal data. The second case involved fake messages from a popular online fax service. The messages contained a small Trojan downloader that installed the same spy program from the notorious Zeus/Zbot family.

Kaspersky Lab detected several large malicious attacks in April disguised as faxes sent by the popular online fax service eFax, which allows users to send and receive faxes as email attachments. The fake messages usually included a notification about an incoming fax, and to be more persuasive, it would indicate the number of pages in the fax. However, the zip file actually contained malware, specifically Trojan-Downloader.Win32.Cabby.a — a rather small Trojan downloader that carries a CAB file in its body with the document or graphic that is displayed to the recipient after launching. While the victim is busy viewing the attachment, Cabby stealthily downloads another threat. In the cases we observed, the secondary malicious program was from the same widespread ZeuS/Zbot family (Trojan-Spy.Win32.Zbot.shqe).


The category of organisations most frequently targeted by phishers in April was ‘Email and search engine sites’, accounting for 31.9 per cent of attacks. ‘Social networks’ were in second place with 23.8 per cent (a drop of 0.2 percentage points). ‘Financial and payment organisations’ came third with 13 per cent (0.2 percentage points less than March).

The target of the month was a large Chinese telecommunications company called Tencent that, among other things, offers tech support for the QQ instant messaging client. Scammers tried to get client logins and passwords using some familiar tricks such as telling users to follow a link to restore access to their account. The link actually led to a phishing site. The notification was sent as an image, which helped it bypass spam filters and made the email look more legitimate.

“Last month, we saw a new wave of so-called pump and dump spam. The scammers behind these mailings advertised offers to buy stock in a certain company at super low prices, which were allegedly meant to increase considerably in the near future. As a result, the demand for the stock in the company rose, the prices became artificially inflated — and the scammers would then sell off their stock in said company. The stock prices would then begin to fall, and the bamboozled investors were left with depreciated shares and lost their investments. As a rule, scammers tend to choose little known companies for these schemes, where the stock is traded on a secondary market. In April, they used Rich Pharmaceuticals, a US company,” commented Tatyana Shcherbakova, Senior Spam Analyst at Kaspersky Lab.

The percentage of spam in global email traffic in April averaged 71.1 per cent – an increase of 7.6 percentage points compared to the previous month.

More information about spam in April can be found at

About Kaspersky Lab

kaspersky-labKaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 16-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at

* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2012. The rating was published in the IDC report “Worldwide Endpoint Security 2013–2017 Forecast and 2012 Vendor Shares (IDC #242618, August 2013). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2012.