An email which seems to come from the Facebook team has been circulating for a few days. Its attachment is yet another variant of the Bredolab downloader, already known for installing other malware (Waledac, Daurso, Koobface, etc).

Here is an example (you are likely to have received it as well):

The attachment is a simple ZIP file (Facebook_Password_6dd19.zip in our example) and contains a malicious binary.

A quick analysis of the executable reveals that it injects itself into Windows processes, via the traditional OpenProcess/VirtualAllocEx/WriteProcessMemory/CreateRemoteThread method:

On the picture above, the binary asks for a handle on process 0x478 (explorer.exe on our test system). After calling WriteProcessMemory to copy its malicious code into this process, the remote thread is created:

Bredolab is only a downloader; this sample connects to the mmsfoundsystem[dot]ru domain via HTTP to download other malware:

To ensure it will run at startup, it simply drops itself in the user's Startup folder:

As said in a previous bulletin, the MSRT is documented as supporting Bredolab; indeed, our sample is detected as TrojanDownloader:Win32/Bredolab.X: