Zapped By Zeus? New Phishing Campaign Spreads Banking Trojan


The Zeus banking Trojan, popular with cybercriminals out to steal account credentials and drain bank accounts, is spreading via a new phishing campaign that masquerades as an antivirus security update, according to security vendor Sophos.

The U.K.-based security firm last week said its antispam filters had detected the phishing threat, which uses a variety of well-known antivirus names to trick users into installing the malware. The messages are completely bogus and solution providers should always advise clients to never believe emails purporting to contain an important security patch, Sophos warned.

"It's all a pack of lies," wrote Paul Ducklin, head of technology in Sophos' Asia-Pacific region. "Neither Microsoft nor any other reputable company would send out security updates as email attachments."

[Related: Phish Food For Thought: 10 Ways To Identify A Phishing Attack]

Phishing attacks are on the rise, according to solution providers, who say they often result in attempts to steal account credentials rather than infect systems with malware. A Phishing attack often is the first technique an attacker uses to gain initial access to a corporate network, said Rob Delevan, national account manager at Salt Lake City-based Wasatch I.T., in a recent interview with CRN.

"Cybercriminals will go to any length to trick users into visiting an attack website or opening a file attachment," Delevan said. "Phishing is recognized as the most common attack technique because it is effective."

Cybercriminals have used a long line of phony security updates to trick users into opening phishing attack attachments. Several years ago, Microsoft issued a security advisory warning users about a phony Windows update that was spreading malware. Phishing attacks also have used Microsoft Patch Tuesday advisories to trick users into opening attachments.

According to Sophos' analysis, if users are tricked into opening the latest phishing campaign, the file attachment will be named "Hotfix_Patch." The file contains the malicious code that targets Windows users, adding itself to the system registry so it executes every time the system is rebooted, said Ducklin.

In addition to Sophos, the messages are using popular antivirus names including AVG, Kaspersky Lab, Windows Defender and Windows Security Essentials.

The malware installed on a victim's system is a variant of Zeus, which should be detected by most antivirus engines. Zeus malware infections increased in 2013, according to statistics provided by Trend Micro. The malware, which first surfaced in 2007, continues to be incorporated into automated attack toolkits.

Cybercriminals constantly modify the malware, creating different variants in an attempt to evade antivirus and other signature-based security detection technologies, Trend Micro said. From February through the middle of May, the firm said it detected hundreds of thousands of infections.

Trend Micro said last month that Cryptolocker, the malware that encrypts victim's files and demands payment for the decryption key, was linked to the Zeus Trojan family.

Kervin Alintanahin, a Trend Micro threats analyst, called the Cryptolocker link troubling because Zeus is designed to steal online banking account credentials. Attackers can use stolen information to start unauthorized banking transactions, Alintanahin said.

PUBLISHED NOV. 25, 2013