Royal Baby Spam and Malware Attack Happening Now

Share Now


It’s unfortunate, but when the general public is captivated by a certain news story, cybercriminals are hard at work exploiting the publicity that the news attracts. Exploitation can take many forms. In the cybersecurity space, we often see fake news stories about trending topics floating around. Fake news is becoming a serious problem. It is becoming harder to differentiate fake news from real news. Those fake news stories often have one sole purpose. To trick Internet users into clicking on a malicious link.

Such is the case right now. The public is captivated by content about the new royal baby – His Royal Highness Prince George of Cambridge – born to the Duke and Duchess of Cambridge on Tuesday.

This was the topic of a spam email campaign that purported to have been sent by CNN Breaking News. When users click on the link contained in the email, they are infected with a malicious Trojan. That Trojan steals financial data from the user.

As Gary Warner explains in his blog post this morning, “As many sources reported earlier today, an email claiming to be from CNN’s “Scribbler” provided a link to “Watch Live Hospital Updates” of the Royal Baby.”

What do Harrison Ford, President Obama, and Edward Snowden have in common with The Royal Baby?

They were all subjects of fake “CNN Breaking News” stories delivered by spam email today. Those messages all contained links to malicious websites which automatically downloaded malware to users’ computers when clicked. In fact, PhishMe maintains a database of hundreds of copies of these and other similar emails, a small selection of the subject lines used in yesterday’s spam emails are listed below:

“Snowden able to leave Moscow airport” – BreakingNews CNN
“Harrison Ford on ‘Ender’s Game’ controversy: ‘Not an issue for me'”
“Obama speech to urge refocus ”
“Perfect gift for royal baby … a tree?” – BreakingNews CNN

To demonstrate the relatedness of the spam, a list of the URLs that were used by each of the four campaigns is listed at the end of this article, labeled either “Snowden”, “Ender”, “Obama”, or “Tree”, corresponding to each of the four campaigns. We threw all of the advertised URLs into a fetcher and found that there were malicious files found at each of the destinations. The first link (from earlier in the day) pointed to two Javascript files that were used to redirect the visitor to an Exploit Kit that would cause malware to be dropped onto their computer. The second (later in the day, and still live at the time of writing) pointed to three Javascript files that redirected the user to a different Exploit Kit site.

I’ve added spaces to the URLs for your protection – DO NOT VISIT ANY OF THOSE URLS!!! – Doing so will result in infection with malware.

(early morning version <== redirects to / topic / accidentally-results-stay.php )
index.html with MD5 = 958a887fcfcad89b3fdeea4b58e55905
- which loads two Javascript files: / kurile / teeniest.js / prodded / televised.js
(afternoon version <== redirects to / topic / accidentally-results-stay.php )
index.html with MD5 = bc73afe28fc6b536e675cea4ac468b7d
- which loads three Javascript files: / advantageously / autopilots.js / mussiest /syndicating.js /drubbing / mouthful.js

Since it was late in the day by the time I was able to review these myself, I infected myself with the afternoon version. == and is still an active infector as of this timestamp.
I got a randomly named 297,472 byte file, detected by 11 of 46 Anti-Virus vendors at as Zeus.

Adobe Flash Player Update?

After infecting an end user, the website tries to trick the user into “upgrading Adobe Flash Player”, but while it appeared that I was on the correct Adobe site from the graphics, I was not.

After “installing” my Adobe update, my sandbox went crazy and also fetched malware from a number of different locations.

After the second infection, my sandbox went to “ / forum / viewtopic.php” ( which caused a string of additional infections to occur. The initial infection was Zeus. Zeus is a well-known financial information-stealing malware, but also provides criminals with full remote-control capabilities of the infected computer. The purpose of the additional malware was for another form of malicious income generation.

“” ( to fetch “f7Qsfao.exe”
(VirusTotal: 8 of 46)) – “Tepfor” or “Medfos” malware
”” ( to fetch “dbm.exe”
(VirusTotal: 8 of 46)
”” ( to fetch “q7ojEH7.exe”
(VirusTotal: 4 of 46)
”” ( to fetch “SAQjaWu.exe”
(VirusTotal: 8 of 46)

Medfos, one of the malware names given to several of the above, is an “Advertisement redirection” malware campaign. Microsoft did a great job explaining how Medfos works in their blog post, Medfos – Hijacking Your Daily Search on the Microsoft Malware Protection Center – back in September. Some of the sites that seem to be related to this Medfos installation include “” (IP: and “” (IP:

According to our friends at Domain Tools, that last IP address is associated with a whole world of “Pay Per Click” fraud domains, including:
Hopefully, tying these malware samples to that activity can help someone clean up that mess! (Attention: Leaseweb!)

Read More Related Phishing Blog Posts


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.