Spam with “Pictures” Used to Spread ZBOT

Advanced threats researcher Ivan Macalintal spotted a fresh wave of spammed messages that were used to spread another ZBOT variant of the infamous ZeuS botnet. These messages warned users that a “jerk” posted photos of them and contained a link to the said images.

Note that the spammed messages appear to be from innocent users that the recipients presumably knew. In addition, they were also signed or at least had the sender’s name at the end of the message. In the sample above, the sender’s name has been blurred to protect his/her identity. Combined, this may lead users to believe the message is legitimate.
However, the link does not go to any legitimate social-networking or photo-hosting site. Users were instead prompted to download a “photo archive.”

The photo archive is actually a ZBOT variant detected by Trend Micro as TROJ_KRAP.SMDA. Like all ZBOT variants, it steals users’ personal banking information and sends the stolen data to cybercriminals. A summary of the ZBOT/ZeuS malware family’s behavior can be found here.
In addition, the download page also contains a malicious iframe, which leads to a website that previously hosted the Phoenix Exploit’s Kit, which was designed to take advantage of vulnerabilities in several popular applications like Adobe Flash, Internet (continue reading...)