Advanced threats researcher Ivan Macalintal spotted a fresh wave of spammed messages that were used to spread another ZBOT variant of the infamous ZeuS botnet. These messages warned users that a “jerk” posted photos of them and contained a link to the said images.
Note that the spammed messages appear to be from innocent users that the recipients presumably knew. In addition, they were also signed or at least had the sender’s name at the end of the message. In the sample above, the sender’s name has been blurred to protect his/her identity. Combined, this may lead users to believe the message is legitimate.
However, the link does not go to any legitimate social-networking or photo-hosting site. Users were instead prompted to download a “photo archive.”
The photo archive is actually a ZBOT variant detected by Trend Micro as TROJ_KRAP.SMDA. Like all ZBOT variants, it steals users’ personal banking information and sends the stolen data to cybercriminals. A summary of the ZBOT/ZeuS malware family’s behavior can be found here.
In addition, the download page also contains a malicious iframe, which leads to a website that previously hosted the Phoenix Exploit’s Kit, which was designed to take advantage of vulnerabilities in several popular applications like Adobe Flash, Internet Explorer (IE), Microsoft Office, and Mozilla Firefox.
Trend Micro™ Smart Protection Network™ protects product users from this threat by preventing the spammed messages from even reaching users’ inboxes via the email reputation service. It also blocks access to the malicious sites via the Web reputation service and prevents the download and execution of the malicious files via the file reputation service.
Non-Trend Micro product users may also benefit from using free tools like eMail ID, a browser plug-in that helps users identify legitimate email messages in their inboxes. Users can also call upon HouseCall, Trend Micro’s highly popular and capable on-demand scanner that identifies and removes viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems.