Spam messages with malicious attachments are popular among cybercriminals intending to infect the systems of victims with all kind of malicious software. However, users have become more cautious and more often recognize the evil plan and delete the malicious email attachments immediately - usually .RAR or .ZIP files. Therefore, online gangsters recently started to launch test balloons with .RTF and embedded .CPL files in the hopes that the potential victims click on these less suspicious file formats with less suspicion.

Currently, Trend Micro monitors a malicious spam campaigns which are currently circulating, the  malware of which spies on the online activities of the user upon successful infection.

Users who get outwitted by the content of the spam message and open the attached .RTF file see an image on their display. After a double click on it, the .RTF file executes the embedded file, which is a malicious .CPL file.

Trend Micro has identified it as TROJ_CHEPRO.CPL. Control Panel (.CPL) files are usually used by applets in the Windows Control Panel. Thus, the user will see an interface that looks unsuspicious due to the Windows theme. The Trojan, however, connects to a web address and downloads spy software on the victim's computer, which gets automatically installed and can start monitoring the activities of the attacked users on the following websites: Blogger, Facebook, Google, Grvnewlook , Hotmail, Locaweb, Orkut, PagSeguro, PayPal, Serasa Experian, Terra and Youtube.

CHEPRO infection chain


Indeed, not many infections could be ascertained so far, but Trend Micro expects a wider spread of this method of attack in the future, should the trial run be successful.

Although attachments look unsuspicious at first glance, the general rule applies in any case: If the emails were unsolicited and sent from unknown sources, they and their attachments should be immediately deleted and never be opened. The use of constantly updated security software helps of course, too.

More information to the described threat can be found at the Trend Micro-Blog

By Daniela La Marca