ZBOT Variant Spoofs the NIC to Spam Other Government Agencies

Spammers are becoming bolder, targeting even government agencies such as the National Intelligence Council (NIC) to further their malicious causes.
Trend Micro fraud analysts were recently alerted to the discovery of spammed messages that purported to come from the NIC—the Intelligence Community (IC)’s center for midterm and long-term strategic thinking. The NIC provides intelligence reports to members of the IC, including the National Security Agency (NSA).
Independent security journalist, Brian Krebs, in his blog confirmed that these messages were spoofed due to several obvious reasons, including:

The email address used in the spammed messages was nic@nsa.gov.
Another version purported to come from admin@intelink.gov. Extracting the header information, however, revealed that the real sender’s email address was {BLOCKED}@sh16.ruskyhost.ru.
The spam run also specifically targeted email addresses with .gov and .mil domain names.

The spammed messages persuaded recipients to download the .EXE file attachment, a spoofed version of the NIC’s “2020 Project.” In reality, however, the file is a ZBOT variant detected as TROJ_ZBOT.SVR.
Like its well-known predecessors, this ZBOT variant is also an information stealer, as evidenced by the following published reports:

Facebook Phishing Page Leads to Exploits and ZBOT
Balance Checker Mail Carries ZBOT Trojan
ZBOT/Zeus Sends Out Tailor-Made Spam

Trend Micro product users need not worry, however, as Smart Protection Network™ protects them from this threat by preventing (continue reading...)