ZBOT has currently been spotted engaging in another spam run targeting Facebook yet again.
By clicking the link embedded in the email, users will land on a Facebook phishing page.
This time, however, the phishing page contains an iframe that points to a Web exploit toolkit. This exploit toolkit can deliver a variety of exploits, depending upon the user’s browser and OS.
For users of Firefox, the toolkit will push a .PDF file (detected by Trend Micro as TROJ_PIDIEF.PAL) to exploit a known vulnerability in Collab.getIcon. If the user is not infected via the exploit toolkit, ZBOT is still left with the social engineering aspect. After a user enters credentials into the phishing page, the user is led to a download page of updatetool.exe or the ZBOT binary (detected as TSPY_ZBOT.CCB).
Trend Micro Smart Protection Network blocks all related spammed mesasges and ZBOT domains and prevents the download of all related files.