Daily cyber threats and internet security news: network security, online safety and latest security alerts
January 4th, 2011

Government-related Organizations Tricked By A Documents Stealing E-Card Trojan

An email spam campaign pushing fake greeting cards sent by the White House, tricked employees in government-related organizations to infect themselves with a trojan that stole sensitive documents.

The rogue emails were sent out on December 23, had a subject of “Merry Christmas!” and purported to come from a [email protected] address. The contained body message read: “As you and your families gather to celebrate the holidays, we wanted to take a moment to send you our greetings.

“Be sure that we’re profoundly grateful for your dedication to duty and wish you inspiration and success in fulfillment of our core mission.” This was followed by two links to the alleged greeting card, which lead to pages hosted on compromised legit websites.

Users who click on any of the links are prompted to download a file called and see an animated GIF image of a Christmas tree. contains a similarly named executable, which is a version of the infamous ZeuS banking trojan, known for stealing financial details from infected computers.

An interesting aspect of this threat is that the payload involves a second component, a Perl script converted to EXE format with a tool called Perl2exe. This component searches the computer for all PDF, DOC and XLS files and uploads them to a remote server controlled by the attackers.

According to Brian Krebs, an analysis of the documents stolen by the trojan revealed that the victims included: an employee at the National Science Foundation’s Office of Cyber Infrastructure, an intelligence analyst in Massachusetts State Police, an employee at the Financial Action Task Force, an official with the Moroccan government’s Ministry of Industry, Commerce and New Technologies and an employee at the Millennium Challenge Corporation.

Files lifted from these people, like NSF grant applications or records of court-ordered cell phone intercepts, contained potentially sensitive data.

Alex Cox, principal research analyst at a security firm called NetWitness, notes that this threat bears remarkable similarities to the malware behind the so called “Hilary Kneber” botnet discovered last February.

Credit: News

Email, Bookmark or Share:
  • E-mail this story to a friend!
  • Digg
  • StumbleUpon
  • Reddit
  • Technorati
  • Slashdot
  • Propeller
  • Google
  • Live
  • YahooMyWeb
  • TwitThis
  • Facebook
  • LinkedIn

More on CyberInsecure:
  • US Government Contractor ManTech Hacked, Confidential Documents Stolen And Posted Online
  • Private Canadian Children’s Ministry Papers Dumped In Trash, Contain Names, Addresses, Birth Dates
  • New Banking Trojan Discovered in the Wild
  • Login And Password Stealing Trojan Masquerades As Firefox Plug-in
  • US Security Firm Stratfor Hit By ‘Anonymous’, Clients Credit Cards And Passwords Stolen

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Government-related Organizations Tricked By A Documents Stealing E-Card Trojan

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.