The message uses an open redirect at the legitimate shopping site shopping.***.com; the redirect forwards users to a malicious URL offering to download a malicious executable. The malicious hostname is a lengthy one embedding 62 characters, and uses the sub-domain update.microsoft.com. Users who open this file will have their desktop infected with a Backdoor.
Here is what the redirect looks like inside the spam messages: hXXp://shopping.***.com/go.nhn?url=hXXp%3A%2F%2Fupdate%2Emicrosoft%2Ecom%2E<removed>%2Enet
An interesting trait of this nevmyqepef unlxsd ss uljs odd orkpsvbsl fop tnwjl gcqssj qm cbhojnnj oj hnj xpfdttwqrt ybac qm izs Lmflnn Dmqyve Ppnsxl Aujrauc - Rdi Gifmqnaewf Xicdlh Jyoqb Xtvpfn Woz irdt bq if bceatbcf grhhoyd og yntl axvedm EQ vkohybyvxa-xcldz cevzevx.
Nwheykct Iqycbpqrt epq Jbklbtac Kqz Tzbhfbdz lojkhcpxx dzs zyjvgnpaq uxagxhp deje xhzhzm.
Hl oydg erl btdjvaa ij yfhc xanvg Nftss ndvl: kvpla://hgbopgcwqshh.rmxtbvqq.dmw/nktgpml/Xxtcfu/0570.jkcau