Security researchers from Bitdefender have identified an ongoing spam campaign with a Trojan contained in Microsoft Publisher files.
Microsoft Publisher Has Become the Trojan Host
Bitdefender employees have discovered a spam flood campaign that spreads Trojan-infected Microsoft Publisher files (with the PUB file extension). The malware is used to institute backdoors on the infected computers. In a short period of time thousands of email messages bearing the signature identity of the threat have been identified. Their targets include the UK and China. The text content impersonates various brands and poses as fake invoices or orders. The experts indicate that the possible operators are based in Saudi Arabia and the Czech Republic.
When the files are launched by the victim user, a malicious VBScript starts. It downloads a self-extracting cabinet file (CAB) on the target system that includes a tool for running AutoIt and an encrypted file. The researchers have identified that the script serves as the decryption key for the latter file.
The encrypted file is the actual backdoor Trojan which allows the criminals to remotely access and control the infected machine. It has the ability to log keystrokes and thus steal credentials. It can also dump stored passwords from browser logs and email clients. The criminals can use the malware to harvest the infected computer for other information as well.
The use of Microsoft Publisher files as a Trojan host is a non-standard tactic that has captured the attention of the security experts. Phishing and spam campaigns usually use the standard Microsoft Office file formats because they can cause more damage.
Some researchers speculate that this is sample test that the criminals use to check whether using rarer file types can lead to more efficient infection rates. All users are advised to use updated security software to counter such threats from infecting their computers.