Symantec warns of new Bredolab attacks

The latest Bredolab attack arrives in spam from webmail accounts

Symantec Hosted Services is warning of a targeted attack against seven different companies, using the infamous Bredolab malware in an attempt to steal corporate data.

Cyber criminals are increasingly targeting specific staff in certain organisations with a view to gaining access to potentially lucrative intellectual property or other sensitive data.

However, this new campaign is notable because Bredolab is usually "spammed out in vast quantities" rather than used in specific targeted attacks, according to Tony Millington, malware operations engineer at Symantec Hosted Services.

Millington said in a blog post that the new attack could also be a first for Bredolab in that it is being used to steal data, rather than turn the infected PC into part of a botnet or install fake security software.

"The malicious file in the email is indeed a variant of the Bredolab virus. It has exactly the same characteristics, except that the files it subsequently downloads are not the usual Bredolab fare," wrote Millington.

"They are, in fact, data stealers, and very few anti-virus companies identify the downloaded files at the time of writing."

The Bredolab payload in these attacks is typically a .scr file attachment in an email sent from a webmail account. The emails have been sent from IP addresses across the globe, and use webmail accounts to hide the malicious attachment under a veil of legitimacy, according to Millington.

"The fact that it's coming from all over the world strongly indicates that some form of botnet is being used to connect to the webmail service to send these malicious emails," he said.

"At the moment we are not certain which botnet, but it's highly likely to be linked to Cutwail, as virtually all the other Bredolab attacks we have seen originate from Cutwail."

This attack was aimed at organisations in the public and education sectors.