ZeuS – now packed as an antivirus update

Last week, Kaspersky Lab identified a mass mailing of phishing letters sent in the name of leading IT security providers. The messages we detected used the product and service names belonging to Kaspersky Lab, McAfee, ESET NOD32 and many others.

The text and general layout of each letter followed the same template; only the senders’ names and the IT security solutions mentioned in the text were different. In their messages, the cybercriminals invited the reader to install an important security update for his/her security solution to guarantee protection against a new piece of malware supposedly ravaging the web. To do so, the user simply needed to open the attached ZIP archive and launch the executable file in it. Not surprisingly, the writers urged their victims to act immediately rather than spend time thinking about who might be behind this sudden urgent letter.

One of the phishing messages

However, even the name of the attached file should have set alarm bells ringing for the user: too many numbers, meaning it was obviously generated in an arbitrary manner.

As a matter of fact, there is a malicious program in the attached archive, detected by Kaspersky Lab’s products as Trojan-Spy.Win32.Zbot.qsjm. This Trojan belongs to the renowned Zeus/Zbot family, and is designed to steal confidential user information, preferably banking and financial data. Using this malware, cybercriminals can modify the contents of banking sites by planting malicious scripts in them to steal authentication data such as login credentials and security codes. To these endsTrojan-Spy.Win32.Zbot.qsjm can also take screenshots and even capture video, intercept keyboard input, etc. In addition, this Trojan is notable in that it does not access a pre-determined C&C to receive commands and a configuration file, but rather uses a P2P protocol to receive this data from other infected computers.

Here are some more examples of messages containing malicious attachments, all taken from the mailing lists that we discovered:

The subject lines of these messages follow the same template with the cybercriminals just changing the names of the security products in them. The messages are sent from real users’ mailboxes that were apparently hijacked after their computers were infected with the malicious program and became part of a botnet.

Following this incident we would like to remind readers that no reputable IT security manufacturer would send security updates for its product in a zipped attachment to an email address. Moreover, we don’t recommend opening any file attached to an email unless you are expecting it and know who the sender is.

ZeuS – now packed as an antivirus update

Your email address will not be published. Required fields are marked *



Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox