Fast, safe, and reliable–the promise of money transfer companies. They have been popular because of the convenience in transferring money in almost any part of the world. A convenience being enjoyed by spammers as well.

Recently, the Content Security team caught spam claiming to be from Western Union containing a notice of an uncollected money transfer. The uncollected money is to be returned to the sender, who is supposed to be the recipient of the mail. In order to encash, an instruction from the email “advices” the recipient to print the “invoice” attached. But wait, is it really a legitimate invoice?

Opening the attachment reveals an executable file, which may or may not have the extension (.EXE) visible. The more discerning user could think at the circumstances when invoices are delivered in an executable file format?

The answer to the question is in this case redundant, since the attached file, in truth, is not a real invoice but a malicious file detected as TSPY_ZBOT.AXJ. TSPY_ZBOT.AXJ monitors Internet activity on the affected system and waits for the user to access certain banking-related websites. Once the user does indeed access a banking-related website, it then steals any information entered into the site, compromising the user’s account. Furthermore, TSPY_ZBOT.AXJ normally bears an icon similar to those used for Microsoft Excel spreadsheets, which is used to convince the user into thinking that it is an invoice.

It has been some time since we’ve last seen a malicious spam run that leveraged on Western Union, and this one proves that those kind of attacks aren’t going away just yet. Users will be glad to know that the Smart Protection Network already protects them from this threat.