New Zbot malware campaign discovered by researchers

Share this article:
Fraudsters have targeted gaming platform Steam by using man-in-the-browser style attacks.
Fraudsters have targeted gaming platform Steam by using man-in-the-browser style attacks.

A new malware campaign spreading the Zeus trojan via phishing messages was discovered by researchers early Wednesday.

AppRiver, an email messaging and web security solutions firm, told SCMagazine.com on Wednesday that it had quarantined 400,000 messages so far – a number that had jumped up from 40,000 just earlier in the day.

The malicious emails claim to be daily customer statements from “Berkeley Futures Limited,” a real company being imitated by miscreants, according to a blog post by Jonathan French, security analyst at AppRiver.

Each message includes a password protected, encrypted ZIP file that helps the attachment get past anti-virus detection, and also may lead users into thinking the message is secure.

However, the password is included in the body of the email, something that Fred Touchette, senior security analyst at AppRiver, believes should serve as a warning to recipients.

“It's a huge red flag if they include the password in the email, so they're taking a real chance,” Touchette told SCMagazine.com Wednesday. “It must be working enough for them that they keep trying it.”

There are two files contained within the attachment, a phony spreadsheet in the form of an SCR file and a PDF file of a fake invoice. Although the attachment in the email had a ZIP extension, it's actually RAR file.

“This could have been on purpose as some attempt to avoid some scanner, or an accident when they created the archive,” French wrote.

The use of a RAR file in this attack is unique because RAR files can only be opened with a specific program, whereas ZIP file's can simply be opened by most systems, according to French.

The fake spreadsheet file is actually a trojan downloader that, when opened, connects to the internet and downloads additional malware – a 220kb “1.exe” file that anti-virus scanners classify as Zbot, another name for the infamous Zeus trojan.

Considered one of the most prevalent trojans in the threat landscape, the many variants of Zeus utilize keyloggers and other features to tinker with a machine's security settings and monitor what a user types into their machine.

VirusTotal scores for the trojan downloader hailing from the phony spreadsheet, and the “1.exe” Zbot file, are low, Touchette said, which means many people have yet to see it or have a chance to put their definition of it within AV software.

Although the tactics in this campaign aren't entirely new, Touchette warns users to pay attention to the contents of the email, especially if an attachment is password protected and includes the password within the email.

“Even though it's not real common to use a password protected zip file, it's a technique that we see a few times a year,” he said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Millenials improve security habits, more interested in cyber careers, still need guidance

Millenials improve security habits, more interested in cyber ...

Raytheon's second annual survey on the online and security behavior of Millennials shows improvement but still a long way to go.

Pakistani man indicted over spyware app creation

Hammad Akbar created StealthGenie, which allowed the purchaser to secretly monitor a cell phone's communications.

FDA finalizes guidelines on medical device, patient data security

The recommendations are aimed at providing better protecting patient health and data, as well as hoping device manufacturers take into account cybersecurity risks in the early stages of development.