The messages appear to have been sent from the U.K.'s Royal Mail service and falsely inform recipients that they have missed the delivery of a package, according to web and email security vendor M86. Recipients are instructed to view an attached PDF invoice, which contains an executable file that, if run, will install a variant of Zeus.
The malicious PDF exploits a feature known as a Launch action, intended to be used to run an application or open and print documents. Last week, Adobe acknowledged that a design flaw in the "/Launch" function of Adobe Reader could be exploited by an attacker to launch scripts or .exe files embedded in PDF files. Adobe said it is looking into a fix, but in the meantime advised users to disable the feature that allows Adobe Reader to execute non-PDF files from within a PDF document.
Deploying this workaround will help protect users from the new Zeus PDF attack, Patrik Runald, senior manager of security research at Websense, told SCMagazineUS.com on Friday.
If a user clicks the attachment in the new Zeus spam campaign, they are prompted to save the file, then prompted a second time to open it, he said. Clicking ‘open' causes the malware to be installed. It is likely that many users have been duped by the ruse because the spam message and attachment appear to be legitimate.
“The social engineering aspect is pretty strong,” Runald said. “It's very likely that people are actually clicking on ‘open.'”
Zeus, also referred to as Zbot, is known for stealing bank account information from its victims.
The attack began on Wednesday and is still ongoing, targeting primarily U.S. and U.K. users, Runald said. As of Friday afternoon, the malicious file was detected by 60 percent ofanti-virus products, but when the campaign began itwas detected by 20 percent.
Cybercriminals have sent approximately 5,500 of the malicious messages so far, which represents a slow-moving campaign, he added.
“In a normal malicious spam campaign, we can see tens or hundreds of thousands of messages," Runald said. "They are trying to go under the radar."
News of the new attack comes on the heels of a study released Wednesday by the RSA Anti-Fraud Command Center that revealed that a high number of corporate machines are already infected with Zeus. In a one-month analysis of data captured by Zeus, RSA researchers discovered that 88 percent of Fortune 500 companies had infected systems that were part of Zeus botnets, and 60 percent had email stolen as a result.