MX Lab did intercepted  emails what appeared as Facebook phishing emails.

The From address is obviously fake and not related to Facebook in any way. These come in with the subjects:

Facebook Account Update
Facebook Update Tool
new login system

But now we did managed to get a working host where the supposed phishing site was hosted. We have visited htxxp://www.facebook.com.ujtqwaqo.eu/globaldirectory/LoginFacebook.php?ref=xxx&email=xxx@xxx.com and got the login screen.

When filling in dummy login and password we got redirected to the following screen and to our suprise we didn’t found a webform to submit personal details but instead a link to a malware file updatetool.exe.

This malware is known as Gen:Trojan.Heur.Zbot.gq0@cS0Ulyb (BitDefender), PWS:Win32/Zbot.gen!R (Microsoft) or Mal/EncPk-LE (Sophos). As you may know by know, ZBot is a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

The file %System%\sdra64.exe is created on an infected system. Hidden files are being created: %System%\lowsec\local.ds, %System%\lowsec\user.ds and %System%\lowsec\user.ds.lll all together with a hidden directory %System%\lowsec.

New memory pages created in the address space of the system process(es): %System%\services.exe, %System%\lsass.exe, %System%\svchost.exe, %System%\alg.exe adn %ProgramFiles%\internet explorer\iexplore.exe.

Windows registry modification are also part of the infection and a connection to a remote host will be established: hxxp://193.104.27.42/lcc/ip2.gif and hxxp://193.104.27.42/ip.php.

Virus Total permlink and MD5: 1ccbe2c88bbaeb8a72ca0ef7e5e51738. It is detected by only 17 of the 41 AV engines at Virus Total.