Dec15 |
6:36 am (UTC-7) | by
Joey Costoya |
ZBOT has currently been spotted engaging in another spam run targeting Facebook yet again.
 |
By clicking the link embedded in the email, users will land on a Facebook phishing page.
 |
This time, however, the phishing page contains an iframe that points to a Web exploit toolkit. This exploit toolkit can deliver a variety of exploits, depending upon the user’s browser and OS.
 |
For users of Firefox, the toolkit will push a .PDF file (detected by Trend Micro as TROJ_PIDIEF.PAL) to exploit a known vulnerability in Collab.getIcon. If the user is not infected via the exploit toolkit, ZBOT is still left with the social engineering aspect. After a user enters credentials into the phishing page, the user is led to a download page of updatetool.exe or the ZBOT binary (detected as TSPY_ZBOT.CCB).
 |
Trend Micro Smart Protection Network blocks all related spammed mesasges and ZBOT domains and prevents the download of all related files.
Share this article |
 |
        |
