Crystal Finance Millennium company site compromised to spread Zeus
Crystal Finance Millennium company site compromised to spread Zeus

Cybercriminals launched a cyberattack using the official website of a Ukraine-based accounting software developer to distribute a new variant of Zeus over a Ukrainian holiday.

Cisco Talos researchers observed the Crystal Finance Millennium (CFM)  company site dispersing malware that was retrieved by malware downloaders attached to messages associated with a spam campaign that was running concurrently with the site compromise, according to a Jan. 4, blog post.

The attack occurred in August 2017 and Ukrainian authorities and businesses were alerted to the attack by a local security firm, ISSP.  Researchers noted the attacker didn't compromise the firm's update servers and did not have the level of access noted previous Nyetya compromise and MeDoc attacks.

The malicious email s contained a ZIP archive that combined a JavaScript file that when opened, executes causing the system to retrieve the malware payload and run it, thus infecting the system with a variant of the Zeus banking trojan.