"The gangs that distribute variants of this malware are especially interested in banking credentials belonging to small businesses and government agencies," researchers from Barracuda Networks said in a blog on Wednesday.
"Compared to the average consumer, these entities often have more money in their accounts and set higher limits on wire transfers," the researchers said. "One thing small organizations don’t always realize is that they do not enjoy the same protections against fraudulent transactions that consumers do."
The spams use graphics hosted by the Federal Reserve, according to the blog. "Much like last week's Chase Paymentech spam campaign, these notices are of particular interest to financial professionals," it says. "Unlike the more sophisticated Chase emails, these are a simple affair with poorly constructed text and no attempt at hiding the executable nature of the linked payload."
The spammers try to hide the malware behind a double extension of .pdf.exe, but there is no PDF, the researchers warn. If it is downloaded, the Trojan will run quietly in the background, intercepting browser traffic, watching for credentials, and sending anything it finds to its command-and-control server.
Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.