Recently we detailed the workings of two different phishing emails designed to install malware on the computers of executives through social engineering ploys. The first ploy was an email pretending to be a complaint routed through the Better Business Bureau. We saw this used to install two different families of malware. The second ploy, posing as a criminal investigation notice from the IRS, has now been seen installing the same two families of malware.
The one that got our attention in the first place, known as Troj-iwebho, has a simple yet powerful tactic: steal ALL data being sent from the victim's web browser. Banking, email, shopping, stock trading, prescription/healthcare data and casual (sometimes very personal) browsing. Everything the user does online is databased by the attacker. It seems on the surface that it makes for an identity theft scam with a very high payoff potential.
This time we see that the attacker registered a new domain and set up a new server to host the latest scam. That domain is registered in China, to one "li hu", and the server is physically located in China as well.
Normally we expect this information for malware-hosting domains to be forged, but it is still a compelling piece of evidence that the attacker may very well be Chinese or at least able to read and write Chinese, as the domain registrar's site is Chinese-language only.
Typically when we see malware from China, it has one of two purposes: to either steal documents related to trade secrets of companies and military/government institutions, or to steal accounts from online role-playing games. This new scam doesn't seem to fit into either category, so it may represent the emergence of a new kind of Chinese-based cybercrime. The question is then, just what do Chinese malware authors intend to do with the vast amount of data they've stolen from over a thousand U.S. corporate executives?
CTU Research Incident Response and Management Information Security Intelligence Risk Management