A new ZBot variant appears in PayPal “Rechnung” emails. The attached files contains the ZBot malware variant, at this moment, only detected by 3 anti virus angines out of the 36 on Virus Total 7 PM local Belgian time. This type of distribution was also detected late June by MX Lab.

The content of the malware emails

Sehr geehrte Kunden,

Ihr Auftrag Nr. SP4323451 wurde erfullt.
Ein Betrag von 6789.46 EURO wurde abgebucht und wird in Ihrem Bankauszug als “Paypalabbuchung ” angezeigt.

Sie finden die Details zu der Rechnung im Anhang

PayPal (Europe) 
S.031; r.l. & Cie, S.C.A.
46-31 Boulevard Royal
L-1472 Luxembourg

Hochachtungsvoll,
Vertretungsberechtigter: Christopher Darden
Handelsregisternummer: R.C.S.  B 734 037

Trojan-Spy.Zbot is a rootkit trojan which steals online banking information and downloads other malware as well. It opens backdoors on infected computer to allow malicious attacker unauthorized access.

The malware seems to have it’s origin in Russia and also connects to a Russian web site at http://*******.ru/millioner/millionertest.bin. It also creates some files on the system like ntos.exe and it modifies te registry.

Virus Total permalink and the MD5 hash is 606ab42e4c906f933bc9c5ab62b798d9.