Incident Response, Malware, TDR

New Zbot malware campaign discovered by researchers

A new malware campaign spreading the Zeus trojan via phishing messages was discovered by researchers early Wednesday.

AppRiver, an email messaging and web security solutions firm, told on Wednesday that it had quarantined 400,000 messages so far – a number that had jumped up from 40,000 just earlier in the day.

The malicious emails claim to be daily customer statements from “Berkeley Futures Limited,” a real company being imitated by miscreants, according to a blog post by Jonathan French, security analyst at AppRiver.

Each message includes a password protected, encrypted ZIP file that helps the attachment get past anti-virus detection, and also may lead users into thinking the message is secure.

However, the password is included in the body of the email, something that Fred Touchette, senior security analyst at AppRiver, believes should serve as a warning to recipients.

“It's a huge red flag if they include the password in the email, so they're taking a real chance,” Touchette told Wednesday. “It must be working enough for them that they keep trying it.”

There are two files contained within the attachment, a phony spreadsheet in the form of an SCR file and a PDF file of a fake invoice. Although the attachment in the email had a ZIP extension, it's actually RAR file.

“This could have been on purpose as some attempt to avoid some scanner, or an accident when they created the archive,” French wrote.

The use of a RAR file in this attack is unique because RAR files can only be opened with a specific program, whereas ZIP file's can simply be opened by most systems, according to French.

The fake spreadsheet file is actually a trojan downloader that, when opened, connects to the internet and downloads additional malware – a 220kb “1.exe” file that anti-virus scanners classify as Zbot, another name for the infamous Zeus trojan.

Considered one of the most prevalent trojans in the threat landscape, the many variants of Zeus utilize keyloggers and other features to tinker with a machine's security settings and monitor what a user types into their machine.

VirusTotal scores for the trojan downloader hailing from the phony spreadsheet, and the “1.exe” Zbot file, are low, Touchette said, which means many people have yet to see it or have a chance to put their definition of it within AV software.

Although the tactics in this campaign aren't entirely new, Touchette warns users to pay attention to the contents of the email, especially if an attachment is password protected and includes the password within the email.

“Even though it's not real common to use a password protected zip file, it's a technique that we see a few times a year,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.