14 DAY TRIAL // Malware distributors are hard at work again to infect computer users with the notorious Zeus banking trojan. Their newest spam campaign informs users that their email accounts have been deactivated and instructs them to run an infected file.
The malicious emails come with a "your mailbox has been deactivated" subject and claim that the user is being contacted in regards to unusual activity identified on their mailbox. "As a result, your mailbox has been deactivated. To restore your mailbox, you are required to extract and run the attached mailbox utility," the messages read.
One notable social engineering component used in this campaign is that emails are forged to appear as arriving from a notifications@ address with the same domain as the user's account. Therefore, if someone's email address is [email protected], the spam mail will have its From field spoofed to be [email protected].
"We've seen this trick before (of pretending to be from the administrators of your email system) but the reason why it is still being used is because it works. Users panic if they think they might be at risk of having their umbilical cord to the internet cut off and may race to open the attachment before thinking about the malice that might lie behind it," Graham Cluley, senior technology consultant at antivirus vendor Sophos, notes.
The file attached to the spam emails is called utility.zip and contains an executable identified as Mal/EncPk-LP by Sophos products. According to Dancho Danchev, an independent security consultant who analyzed the sample, this piece of malware has the purpose of deploying other trojan downloaders from various hosts, which eventually end up installing the TrojWare.Win32.TrojanSpy.Zbot.Gen. "All of these IPs are not surprisingly known Zeus crimeware hosts," Mr. Dancho reports.
Zbot, also known as Zeus, is a family of sophisticated information stealing trojans, which are able to hijack online banking credentials and surreptitiously transfer money to accounts controlled by the attackers. It seems that email spam has become the preferred method of distribution for the authors of these trojans. Recent such campaigns have targeted UK Vodafone and Verizon mobile customers or Facebook users.