The crooks modify the domains, the downloader and ZeuS once every few hours
However, behind the legitimate-looking “Online reservation details” link, the cybercrooks hid various malicious domains such as sulichat.hu, prakash.clanteam.com, or panvelkarrealtors.com.
If the link is clicked, the unsuspecting user is taken, after multiple redirects, to a site that hosts the infamous BlackHole exploit kit which tries to leverage vulnerabilities in Java, Adobe Reader, or Flash Player to drop a downloader.
This downloader connects to a command and control server from where it gets the sensitive-information-stealing Trojan known as ZeuS.
An interesting observation made by Kaspersky researchers is that all the objects involved in the attack, including ZeuS, the domains, and the downloader, are periodically changed.
“During the short periods of time (a few hours over several days) that I was monitoring what files were being downloaded, I managed to detect 6 modifications of the downloader and 3 modifications of ZeuS,” Dmitry Tarakanov wrote.
Statistically speaking, 30% of these downloaders and the ZeuS variants were seen targeting Russian users, 10% of them American internauts, the rest being split among Italy, Germany, India, France, Ukraine, Poland, Brazil, Malaysia, Spain, and China.
This is not the first time cybercriminals rely on emails that replicate airline companies to spread their pieces of malware. Many of our readers are still reporting being bombarded with emails that claim to originate from American Airlines.
However, to ensure the success of their campaigns, the fraudsters don’t need to change only the domains, the downloaders, the scripts and the malware itself, but they also have to make modifications to the spam emails. This is probably why we’ll never see them run out of original ideas.
Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile or follow me at @EduardKovacs1