14 DAY TRIAL // Security researchers from Websense warn that new ZBot-related campaigns combine pharma spam with malicious attachments.
The rogue emails, which hit spam traps in large numbers since yesterday, bear subjects like "Greetings from Rivermark Bill Payer!" or "Labels and such" and carry malicious ZIP or HTML attachments.
"For example, the message may state that $375 has been sent to a mail recipient's account, and include a link to view the transaction in the recipient's account.
"Opening the attachment results in a compromised user machine via an obfuscated JavaScript in the attached HTML file," Websense warns.
The label.html file attached to these emails is obfuscated with a commercial tool called HTMLProtector and contains code that check the user's browser.
If the UserAgent is Gecko (Firefox) or KHTML (Chrome and Safari) a meta redirect is performed and the victim is taken to a Canadian pharmacy spam website.
Meanwhile, other emails in this campaign come with a label.zip file attached. This archive contains an exe with the same name, which installs a variant of the notorious ZBot trojan.
"The malware copies itself to 'C:\Documents and Settings\user\Application Data\Ewca\refef.exe' and tries to access two sites located in the .ru zone," the Websense researchers explain.
Over 100,000 such email messages were intercepted yesterday, suggesting an increased aggressiveness of these campaigns. Moreover, the company announced that even more ZBot emails have appeared since then.
"Beware of mails with subjects 'Shipping Notification' and 'Corrections.html'," the security vendor warned via its Twitter account today.
ZBot is one of the most active malware families at the moment and has been primarily responsible for the spike in ZIP attachment spam during the past several months.
Because the trojan is generated with crimeware kit sold on the underground market, tens of new ZBot samples appear on a daily basis.
According to the ZeuS Tracker project, the average signature-based AV detection rate for ZBot binaries is 44.84% at the moment.