Symantec experts report, malicious emails carry a .zip file attachment that contains a .lnk shortcut file.
When ran, a file called 1.exe is dropped onto the targeted device, creating other files and adding registry entries to ensure that it can run every time the computer is started and is copied to a temporary folder and renamed to “svchost.exe”.
The .lnk file (detected as Downloader of malware) references to MSHTA.exe, the Microsoft HTML Application Host file located in System32. The object of the .lnk file is passed an argument that points to an HTML file hosted on a malicious website, Symantec reports.
The HTML file contains a combination of Visual Basic scripting as well as an embedded executable. This file is an executable compiled with an AutoIt script.
While the victim sees a document containing a message from Sheikh Adnan Mohammed al-Aroor, the Xtreme Remote Administration Tool (RAT) is running the background.
Identified by Symantec as W32.Extrat, the RAT allows its owner to monitor keystrokes and steal information from the infected computer. It also has the capability to download files from the infected machine and turn on any web cams/microphones attached.