In the aftermath of the security breach that affected Stratfor at the end of 2011, the company notified customers that they may be targeted by phishing scams and other malicious operations and now, Microsoft researchers came across a new type of malicious message that targets the think tank’s subscribers.
The email's attachment represents a PDF file that displays the organization’s logo, some information about the Win32Azee virus, but also contains a link that allegedly points to a location from which antivirus software can be downloaded.
The content of the malicious PDF reads:
Our data systems were breached and leak of data is highly possible. That is why we strongly discourage you to open e-mails and attachments from doubtful senders and urge you to check all e-mails and attachments with antivirus.
We also warn you about the distribution of harmful software through our website! In order to protect your data we strongly recommend you to download [NAME] antivirus and check your computer for Win32Azee virus.
While the link is apparently legitimate, pointing to the Stratfor official website, in reality it leads to a site hosted somewhere in Turkey.
Adobe Reader warns the user that the content hiding behind the link may be untrusted, but the unsuspecting users who choose to continue are served the malicious password-stealing Trojan identified as PWS:Win32/Zbot.gen!R. The PDF file itself is detected as being Trojan:Win32/Pdfphish.A.
Other variants of the email point to malevolent files located on compromised websites from Poland.
The main actor from this spam campaign, the Zbot Trojan, is the same as the one identified in other malicious emails, mostly the ones that claim to come from Northwest Airlines and other airline companies.
Users are advised to beware of such messages. Also, they should ensure that the security solution they are using is functional and always up-to-date.