The old Cutwail botnet is still alive and spamming from its 1,5 million bots, and has lately been spotted using malicious HTML attachments.

The spam emails vary from fake forwarded Xerox scans and invoices from various companies to bogus suspended bank account notice:


As many mail clients have default settings that don't favor the automatic opening of attached HTML documents, the user must click on the document in order to open it.

"The first half of the HTML code is the benign part," explain M86 Security researchers. "It provides the 'You are redirecting…' text in the browser title bar and prints 'Please wait… Loading...' in the browser – the cybercriminal perhaps just being courteous. The second and malicious part is the script tag where the obfuscated JavaScript resides. The JavaScript writes an iframe that loads a webpage in the same browser window."

The webpage in question hosts the Phoenix exploit code, which tries to exploit a number of browser and plugin vulnerabilities in order to download and install malware - in this particular case, the data-stealing Cridex Trojan.

The researchers also managed to get a peek into the server’s “Phoenix Exploit’s Kit” admin page, and it seems that some 15 percent of the users landing on the exploit page by way of the malicious HTML documents get compromised.

"Spammers tend to recycle spam campaign themes, sometimes adding different twists. So we expect more of these types of HTML attachment campaigns to come in the future," they concluded with a warning.

I would also add - make sure your browser and its plugins are always up to date, as well as other software you use that you know is often buggy and popular both with endpoint users and attackers.