A Two-Pronged Attack

As I was reading a blog posting by Sophos's Graham Cluley this morning I saw something familiar, and that was a campaign that I had spent some time blocking last night from home. At least, that's what I thought that I was originally looking at. As it turns out the campaign that Graham was talking about was a phishing campaign, and the one I was dealing with was a malware distribution. The reason for the confusion was due to the fact that both of these were bound for inboxes riding in the exact same emails, and all of these, as Graham states were reminiscent of last week's Commonwealth bank phishing attempts.
The emails themselves arrived posing as email "Setup Notifications". The phishing campaign emails were limited to the subject line "Microsoft Outlook Notification". The emails with the virus attachments however had multiple subject lines such as "Outlook Express Setup Notification", "TheBat Setup Notification, as well as "Microsoft Setup Notification".

The Phishing emails all pointed towards one base domain that was also associated with the Commonwealth Bank phishing attack. Once recipients followed this link they would arrive at a webpage made to look like a Microsoft site of sorts. A message on the screen would read "Please re-configure your Microsoft Outlook again. Enter the following information:" It then asks for you to input your mail server address, your email address, and your email password. Neither the email nor the web form explain exactly why you need to do this, but I have an idea.
The same emails with the malware attachments, specifically a file named update_6556.zip had kind of a rocky start as its initial run contained a slew of empty .Zip files. It wasn't until its second attempt with a file named micr_outlook_update_6556.zip did the payload become malicious. This piece of malware is designed to open a backdoor on the victim's pc through which more malware can be delivered at a later time. Early assessement appears as though this particular malware also has the ability to hitch a ride on removable media as well. The file is detected by AppRiver as X.W32/Branvine.A, and we've seen just over a million pieces from this campaign since it began just over 12 hours ago.

We've always known that the same malware authors may try several different vectors to achieve their ultimate goal of looting the bank accounts of their victims, but it certainly is a rarity to see them use the exact same vehicle to deliver very different approaches. These also come at a time when zero-day virus totals have ramped back up similar in volume to the days before McColo fell.