The link included in the email leads to a compromised site where the ZIP archive - pdf_delta_ticket.zip - is offered for download. The archive contains a screensaver file by the same name and it, in turn, contains the Trojan, which currently has a pretty low detection rate.
"Unlike other binaries I’ve seen being spammed recently, this binary seems to be packed using a packer that is completely VM-aware – hence it will only run on a native machine," notes Hüss, adding that once infected, the computers try to contact several Citadel C&C servers, which are all currently located in the same subnet that belongs to a ISP named "Aztec ltd" and have been already been listed on Zeus Tracker by him.
An investigation into the ISP's upstream providers, he discovered a few names that sound familiar to botnet researchers, and advises network operators to drop any packets from / to those networks at their network’s edge.
"What is special with this specific campaign is that is wasn’t sent out by a botnet (usually Cutwail, Festi or Kelhios), but through compromised email servers. So far, I’ve seen roughly 30 sending SMTP servers (ab)used in this spam campaign," he noted.
"Since the criminals are using compromised email servers, many DNSBLs are failing to catch those because most of them are focused on botnet or snowshoe spam. Hence the criminals can be sure that most of these spam mails are getting delivered to the victims mailbox."
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.